Topic: Help With Checking Signature of Electrum Download (Read 1772 times)

Hi Coin-Keeper,
can you go to this thread? https://bitcointalk.org/index.php?topic=1718549.new#new

You will see there that I asked for help downloading Electrum.  Shorena kindly responded.  I told him I don't know how to use digital signatures and he referred me to a thread that theymos composed.

Okay, the SHA256 hash for Shorena's files checked out.  But I am stuck on how to verify Shorena's digital signature.  For one thing, I am assuming the digital signature he gave me is his own:


From the page he gives:


But I don't know how to find the key from that page!  Where is it?

But even if I know that it came from that page, how do I verify the signature?  I installed Kleopatra, but when I copy the signature into clipboard the choice to verify is grayed out.

GPG/PGP is my thing.  I use it alot and study it.  Mentioned above but now I'll stress.  VERIFY the published FINGERPRINTS of the keys against those in your keyring, and you can be certain you have the valid and actual key.  There is NO way to make a fake key reflect the actual fingerprint of the real key.  Mathematically impossible by any known means of computation.  Anyone that would set or establish trust to a key without verifying the fingerprints is defeating the entire reason for such encryption validation.  Assuming you have verified the fingerprints and assigned trust, what does that do for future file release signatures?  Simple.  When a file is signed by a GPG key the private keyset is required to make that signature.  If a bogus file is released the bad actor will NOT have the private keyset making their signature invalid when YOU test the signature against the proven and trusted key.  Only the actual keyset can sign a file that will pass the test against this mathematical comparison.  Once you learn this process it takes a few seconds to do the test.  A very important consideration to this verification is that MITM methods are becoming increasingly technical.  There are sites that can fool some pretty advanced users and they look so real.  As good as they are, they can't beat the math, so use the math to be sure!


This is very similar to how we verify and sign BTC addresses here.  Given a specific btc address, only the holder of the specific private key can make a genuine signature using that specific address.  Just glance at my signature and click the link if you need to visualize this.

you download the binaries from electrum.org. the public keys you grab from github. both electrum.org and github would have to be compromised for the binaries to be fake.

furthermore you can check the web of trust i..e who trusts the gpg keys of animazing, thomasv and other developers. you can see that  gpg public key fingerprints are the same as the ones specified above in this thread. there are so many different places where these things are discussed. surely they can't all be fake?

Ha that's funny.  I found this thread because I am in the same dilemma of trying to verify a developer's signature.

I'd like to know how you finally resolved this.  Thanks.

Because all these signers help establish to some degree of certainty that they are who they say they are. Especially ThomasV, the lead Electrum dev. http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x9914864DFC33499C6CA2BEEA22453004695506FD

 

... then why in the FUCK would you have a PGP signature.  Goddamit.

Yes....

Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? 

OK, thank you for that.

It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.

Hi, thanks for your help.  

I have just tried the procedure you suggested in Kleopatra.  In the Results Window I get the following message:

electrum-2.3.2-setup.exe.asc: Not enough information to check signature validity.
Signed on 2015-06-15 12:11 by animazing[at]gmail.com (Key ID: 0x695506FD).
The validity of the signature cannot be verified.

What has gone wrong, and how can I rectify it?  

Thanks

That is correct.

Download Animazing's PGP key
Open up Kleopatra and go to File > Decrypt/Verify Files ...
Select the the electrum-2.3.2-setup.exe.asc.
Check the box for detached signature.
Click the button next to the first text box and select the setup exe file.
Click Decrypt/Verify and it will verify the signature.

Hi Guys

I am a newbie trying to work out Bitcoin.  I've started this thread because I'm trying to work out how to check the signature of the Electrum Wallet Windows installer I've downloaded.  I thought I might ask for help as I go along (slowly ...)

So far I have:

- Downloaded electrum-2.3.2-setup.exe, the Windows installer

- Downloaded electrum-2.3.2-setup.exe.asc, the signature file

- Got Kleopatra installed on my computer.

The signature is signed by someone called Animazing, and I believe I have access to his public key from here:

http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x9914864DFC33499C6CA2BEEA22453004695506FD


Q1) Is this Animazing's correct public key, as given here:

http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x22453004695506FD


Q2) What is the next step?  I am guessing I have to load Animazing's public key into Kleopatra somehow, is that correct?


Thanks guys