Topic: How do I verify downloaded electrum using signature files? (Read 9324 times)

these key servers sometimes go down for different reasons. high load, DDoS maybe, or maintenance or something like that. but i have experienced downtime with pgp.mit.edu multiple times. and it is easy to check if it is up or down, just open the link like this:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
and you will see a warning saying it is down. (well it currently is up as i am writing this).

The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Im not sure if this:

gpg --keyserver pgp.mit.edu --recv-keys 7F9470E6 would have worked? maybe you had to do use 7F9470E6 instead of 0x2BD5824B7F9470E6 or maybe it was because of the keyserver... anyhow, this is how it went:

1) download the latest .tar file on the Electrum site
2) do "gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6" on the folder which must contain the signature file + the .tar file
3) untar file
4) "python3 electrum" inside the Electrum folder, this will run Electrum live through python

That is all.

Should I use gpg4win (https://www.gpg4win.org/) to verify signature in Windows ?

tl;rl
1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6
2.sudo gpg --fingerprint 0x2BD5824B7F9470E6
3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
 are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate. 

-0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends
-ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above
gpg: Good signature from "Thomas Voegtlin  should be displayed after step 3. if not then do more due diligence.

How to verify a download:
https://bitcointalksearch.org/topic/m.17346941
https://www.torproject.org/docs/verifying-signatures.html.en

I agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit.  We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up.  perhaps the donation requirement for post replies, or the negative experiences of experienced users  have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help.

Hi everyone, sorry to bring this up again, I'm new to bitcoin and i'm trying the following command...

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

and getting the following error:

gpg: keyserver receive failed: Server indicated a failure

Does anyone know what this means?

Thanks

Thank-you, and everyone else who has helped me.

let me translate:

gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out
gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys.



if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys.
https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature
https://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted

It is saying it is not certified by a trusted signature. This is fairly normal... it just means that none of your Trusted signatures has vouched for Thomas' signature.

PGP signatures work on a "web of trust"... for instance: Person A trusts you... You vouch for Person B... therefore Person A will trust Person B because you vouched for them. At the moment, no-one you trust (including yourself) has vouched for Thomas' signature, so you get the warning that the key is not certified... even though it is definitely the one used to sign the file (The "Good Signature" message)

PROGRESS



It says that the signature is valid now, but there is no indication that the signature belongs to the owner.  Right clicking on the link, did the trick as far being able to read the asc file. This time when I executed the command, it imported one of Thomas's keys from 2011... Not sure if that's correct, you can see exactly what happened from my command above.

Thanks again

Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc...


Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it.

O.k.

I recopied the correct (electrum-2.9.2.dmg.asc)  signature file into a text file and tried both with a .sig and .asc ending, and still getting the same error. Originally I had accidentally had the signature file 2.9.3 which was the beta version.

gpg finds electrum-2.9.2.dmg.sig file but it appears it does not recognize it as valid Opengpg data.

Like I said, i tried both with a .sig and .asc ending. How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?

What else could I be doing wrong?



the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.


thanks again


P.S. Could it be that I am using pgp tools and not GnuPG? Does something maybe need to be changed in the signature file, like the heading maybe?

You're right... it looks like the OP has actually copied the text from the "Windows Standalone Executable" signature file: https://download.electrum.org/2.9.3/electrum-2.9.3.exe.asc !!?!

i believe the gpg is looking for a file with a .sig or .asc type for the signature and you are giving it a .txt file containing the same thing.
try renaming the file and remove the .txt from the end:

then check with gpg

---

p.s. with a closer look your .asc file content does not look correct either.
https://download.electrum.org/2.9.2/electrum-2.9.2.dmg.asc

I have a mac and I am having trouble verifying the electrum wallet signature. I followed instructions as best as possible according to this post.


I have downloaded the [email protected] public key issued on June 14th, 2017

Key ID: 0451C3EF

Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7  32EB 4A5A 7F6F 0451 C3EF


I copied all the text on the signature file from the electrum.org site and saved it as: electrum-2.9.2.dmg.asc.txt and then placed it in the same folder as electrum-2.9.2.dmg

the contents of the signature file are:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em
ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx
1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC
axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan
fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk
7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY
CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4
zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci
PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar
ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/
Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD
577hMthTTwWAlU9B0nke
=YtfS
-----END PGP SIGNATURE-----

then in terminal I exectued the following command:



here is the output i got:



Can anyone tell me what I am doing wrong.


Thank-you in advance

Stop replying to my posts, teen-ager.

I am not talking about myself, but all future visitors to electrum. Bitcoin's not worth $200 any more, and people who put their $$ into btc wallets deserve to understand better what they are supposed to do.

Don't answer my posts anymore Margarine. I need to hear from people whose minds have been on this planet longer than 16 years.

Stop pretending you don't know what operating system your computer runs.

http://lmgtfy.com/?q=electrum+signature

Listen Butterball. I don't know if you're actually 16, or only post with the sophistication of a teen-ager.

But someone who uses the internet only as an end user, goes to a few interent pages at their desktop computer, maybe downloads a program once or twice a year to their hard drive, well maybe one day this person decides to join the crypto enthusiasts and buys some bitcoin. He/she deposits bitcoin at an exchange, and then reads several people warning to get their coins off exchanges, maybe buy a  hardware wallet, or download Electrum to their hard drive so they can control their private keys.

So this person comes to Electrum download site, and sees Windows or Mac download, and next to it, something called a signature - something they've never seen before.

What do you think this person will think when they see the gibberish of a signature?

They will say -"If Electrum put it up there, it must be important. But what is this gobbly-gook, what do I do with it - I'm just an internet end-user who has never seen such a thing? How come there are no instructions? Is this signature critical to use electrum? Will my money be at risk if I don't use it?"


What kind of a way is this to treat newbies when they come to download something as important as a wallet that will control their money?


And all you can worry about is your pride? How goddamn thin skinned are you?

Tell whoever is in charge of the download are, to find a way to explain to people what a signature is, and whether it's important enough to be required. Because if people see it up there, they are going to assume it must have been put up for a reason, and not as a decoration.

Now stop worrying about your thin skin, and do something to help people new to crypto have a better user experience.

Actually, it's "don't spread FUD & keep up obviously false pretenses of 'computer illiteracy' belied by your own ability to post here at all".

Something like a https://rationalwiki.org/wiki/Concern_troll

Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.