Pages:
Author

Topic: How do I verify downloaded electrum using signature files? (Read 9335 times)

legendary
Activity: 3472
Merit: 10611
~
The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

these key servers sometimes go down for different reasons. high load, DDoS maybe, or maintenance or something like that. but i have experienced downtime with pgp.mit.edu multiple times. and it is easy to check if it is up or down, just open the link like this:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
and you will see a warning saying it is down. (well it currently is up as i am writing this).
legendary
Activity: 1372
Merit: 1252

tl;rl
1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6
2.sudo gpg --fingerprint 0x2BD5824B7F9470E6
3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
 are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate.  

-0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends
-ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above
gpg: Good signature from "Thomas Voegtlin  should be displayed after step 3. if not then do more due diligence.

How to verify a download:
https://bitcointalksearch.org/topic/m.17346941
https://www.torproject.org/docs/verifying-signatures.html.en

I agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit.  We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up.  perhaps the donation requirement for post replies, or the negative experiences of experienced users  have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help.


The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Im not sure if this:

gpg --keyserver pgp.mit.edu --recv-keys 7F9470E6 would have worked? maybe you had to do use 7F9470E6 instead of 0x2BD5824B7F9470E6 or maybe it was because of the keyserver... anyhow, this is how it went:

1) download the latest .tar file on the Electrum site
2) do "gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6" on the folder which must contain the signature file + the .tar file
3) untar file
4) "python3 electrum" inside the Electrum folder, this will run Electrum live through python

That is all.
full member
Activity: 1274
Merit: 105
Should I use gpg4win (https://www.gpg4win.org/) to verify signature in Windows ?
newbie
Activity: 11
Merit: 0
I'm using Ubuntu, here what I have done:

wget https[Suspicious link removed].asc
wget https[Suspicious link removed]

Following a post from reddit
I did

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
gpg: requesting key 7F9470E6 from hkp server pool.sks-keyservers.net
gpg: key 7F9470E6: "Thomas Voegtlin (https://electrum.org) <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gpg --fingerprint
-----------------------------------
pub   4096R/7F9470E6 2011-06-15
      Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
uid                  Thomas Voegtlin (https://electrum.org) <[email protected]>
uid                  ThomasV <[email protected]>
uid                  Thomas Voegtlin <[email protected]>
sub   4096R/2021CD84 2011-06-15

gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exe
gpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD
gpg: Can't check signature: public key not found


So what should I do next ? Thank
tl;rl
1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6
2.sudo gpg --fingerprint 0x2BD5824B7F9470E6
3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
 are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate. 

-0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends
-ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above
gpg: Good signature from "Thomas Voegtlin  should be displayed after step 3. if not then do more due diligence.

How to verify a download:
https://bitcointalksearch.org/topic/m.17346941
https://www.torproject.org/docs/verifying-signatures.html.en

I agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit.  We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up.  perhaps the donation requirement for post replies, or the negative experiences of experienced users  have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help.
newbie
Activity: 7
Merit: 0
Hi everyone, sorry to bring this up again, I'm new to bitcoin and i'm trying the following command...

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

and getting the following error:

gpg: keyserver receive failed: Server indicated a failure

Does anyone know what this means?

Thanks
full member
Activity: 302
Merit: 100
let me translate:
Code:
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out
gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys.

Wink

if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys.
https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature
https://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted


Thank-you, and everyone else who has helped me.









legendary
Activity: 3472
Merit: 10611
let me translate:
Code:
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out
gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys.

Wink

if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys.
https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature
https://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted
HCP
legendary
Activity: 2086
Merit: 4363
It is saying it is not certified by a trusted signature. This is fairly normal... it just means that none of your Trusted signatures has vouched for Thomas' signature.

PGP signatures work on a "web of trust"... for instance: Person A trusts you... You vouch for Person B... therefore Person A will trust Person B because you vouched for them. At the moment, no-one you trust (including yourself) has vouched for Thomas' signature, so you get the warning that the key is not certified... even though it is definitely the one used to sign the file (The "Good Signature" message)
full member
Activity: 302
Merit: 100
the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.
Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc...


How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?
Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it.

PROGRESS

Code:
gpg: Signature made Thu Aug  3 10:16:45 2017 -03 using RSA key ID 7F9470E6
gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-11
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6


It says that the signature is valid now, but there is no indication that the signature belongs to the owner.  Right clicking on the link, did the trick as far being able to read the asc file. This time when I executed the command, it imported one of Thomas's keys from 2011... Not sure if that's correct, you can see exactly what happened from my command above.

Thanks again
HCP
legendary
Activity: 2086
Merit: 4363
the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.
Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc...


How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?
Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it.
full member
Activity: 302
Merit: 100
p.s. with a closer look your .asc file content does not look correct either.
You're right... it looks like the OP has actually copied the text from the "Windows Standalone Executable" signature file: https://download.electrum.org/2.9.3/electrum-2.9.3.exe.asc !!?!



O.k.

I recopied the correct (electrum-2.9.2.dmg.asc)  signature file into a text file and tried both with a .sig and .asc ending, and still getting the same error. Originally I had accidentally had the signature file 2.9.3 which was the beta version.

gpg finds electrum-2.9.2.dmg.sig file but it appears it does not recognize it as valid Opengpg data.

Like I said, i tried both with a .sig and .asc ending. How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?

What else could I be doing wrong?



the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.


thanks again


P.S. Could it be that I am using pgp tools and not GnuPG? Does something maybe need to be changed in the signature file, like the heading maybe?
HCP
legendary
Activity: 2086
Merit: 4363
p.s. with a closer look your .asc file content does not look correct either.
You're right... it looks like the OP has actually copied the text from the "Windows Standalone Executable" signature file: https://download.electrum.org/2.9.3/electrum-2.9.3.exe.asc !!?!
legendary
Activity: 3472
Merit: 10611
Code:
gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg

Code:
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

i believe the gpg is looking for a file with a .sig or .asc type for the signature and you are giving it a .txt file containing the same thing.
try renaming the file and remove the .txt from the end:
Code:
mv electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg.asc

then check with gpg


p.s. with a closer look your .asc file content does not look correct either.
https://download.electrum.org/2.9.2/electrum-2.9.2.dmg.asc
Code:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZgyI9AAoJECvVgkt/lHDm/PMP/A32LeuqSOD3iSGlbUJ9bT+Y
Lwsz3A7Z6CkqvKgLh3+IZkhJzqixBsZ4j4tH6moTCqmbnlAUSe5hCwMRBocj6AIZ
/KLbWRPqXMGmZqPXKZmbVD5GrNBNq0YOXo6YaoPFYu4K7Vd1kxYEVL7XYfj7qhyr
UEs+S5kngeEYn+WCixlODjsqPzKX4e77ouq/FY/bec900lSZMRHq31jBOfVGR5ow
QRlP2JBLKIQpJNSKxtKInhNQ1lSX/F5OvhdWxROPPJclxZTphkDKX76WyqRqIlWs
CvHHLzAJIovzMW0PiZd9YSDv8WFm5frh/xqWFSPkYaJrsTnFzHidP2X0M+T83EYX
yu998/n5B1ACvW346JnuEKVMqWf/mKjLkgkm39HZU4RZlMfuofYDDTd/JqDgQFqk
Q6Kzf9BYiXn0ZzcVZz27LPM6EGCRcvdnmNPGErTjt4CcN5+E11k4E76dFweHPbow
6Pq5y7Hf/WYglEqaFgSOpo6AbqKbDI9YpKQSROz4HGIqGS8Xhp2EBVHRQksL6AsS
STltKisEMmNWLu41zkZczuE8el1RP/fpyuiCobCVPeQmeh+Pasi3oNFAY4TkR45L
ms20BWF9iLUJAd6tKWcH+kbx0FFyr9pihP98nrlljGH+nBkt4vGseK5V5c29vFCZ
UBN0IFw7G3KEGbtrehFe
=TCRU
-----END PGP SIGNATURE-----
full member
Activity: 302
Merit: 100
I have a mac and I am having trouble verifying the electrum wallet signature. I followed instructions as best as possible according to this post.


I have downloaded the [email protected] public key issued on June 14th, 2017

Key ID: 0451C3EF

Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7  32EB 4A5A 7F6F 0451 C3EF


I copied all the text on the signature file from the electrum.org site and saved it as: electrum-2.9.2.dmg.asc.txt and then placed it in the same folder as electrum-2.9.2.dmg

the contents of the signature file are:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em
ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx
1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC
axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan
fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk
7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY
CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4
zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci
PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar
ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/
Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD
577hMthTTwWAlU9B0nke
=YtfS
-----END PGP SIGNATURE-----

then in terminal I exectued the following command:

Code:
gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg


here is the output i got:

Code:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.


Can anyone tell me what I am doing wrong.


Thank-you in advance
full member
Activity: 302
Merit: 100

How do I verify the Electrum download and signatures on a Mac?



Similar as example above, but do it for the dmg files:

Open a terminal window (CMD + space bar, type Terminal --> Enter)

Code:
gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg

If for some reason you don't have gpg installed on your system, you can always download a very nice suite (which integrates well with Mail, btw - to encrypt or sign Emails, and manage private/public keys ...)  from https://gpgtools.org.

Example:

Code:
     gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg
gpg: Signature made Tue Mar 21 10:42:38 2017 PDT using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [ultimate]


hey guys,

I am also trying to verify the electrum signature of my mac but I am getting an error.


here is what I have done:

i have dowloaded the [email protected] private key.

Key id: 0451C3EF

Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7  32EB 4A5A 7F6F 0451 C3EF

Created: June 14, 2017 at 10:08 AM

i copied the entire contents of the signature file that is on the electrum.org file to a text file and named it 'electrum-2.9.2.dmg.asc.txt' and it is the same folder as the 'electrum-2.9.2.dmg' file.

then in terminal i typed the following.


'gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg'

Terminal's response is the following


gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.



What I am doing wrong?













gpg:                 aka "ThomasV " [ultimate]
gpg:                 aka "Thomas Voegtlin " [ultimate]

member
Activity: 138
Merit: 14
Stop replying to my posts, teen-ager.

I am not talking about myself, but all future visitors to electrum. Bitcoin's not worth $200 any more, and people who put their $$ into btc wallets deserve to understand better what they are supposed to do.

Don't answer my posts anymore Margarine. I need to hear from people whose minds have been on this planet longer than 16 years.
member
Activity: 138
Merit: 14

Actually, it's "don't spread FUD & keep up obviously false pretenses of 'computer illiteracy' belied by your own ability to post here at all".

Something like a https://rationalwiki.org/wiki/Concern_troll

Listen Butterball. I don't know if you're actually 16, or only post with the sophistication of a teen-ager.

But someone who uses the internet only as an end user, goes to a few interent pages at their desktop computer, maybe downloads a program once or twice a year to their hard drive, well maybe one day this person decides to join the crypto enthusiasts and buys some bitcoin. He/she deposits bitcoin at an exchange, and then reads several people warning to get their coins off exchanges, maybe buy a  hardware wallet, or download Electrum to their hard drive so they can control their private keys.

So this person comes to Electrum download site, and sees Windows or Mac download, and next to it, something called a signature - something they've never seen before.

What do you think this person will think when they see the gibberish of a signature?

They will say -"If Electrum put it up there, it must be important. But what is this gobbly-gook, what do I do with it - I'm just an internet end-user who has never seen such a thing? How come there are no instructions? Is this signature critical to use electrum? Will my money be at risk if I don't use it?"


What kind of a way is this to treat newbies when they come to download something as important as a wallet that will control their money?


And all you can worry about is your pride? How goddamn thin skinned are you?

Tell whoever is in charge of the download are, to find a way to explain to people what a signature is, and whether it's important enough to be required. Because if people see it up there, they are going to assume it must have been put up for a reason, and not as a decoration.

Now stop worrying about your thin skin, and do something to help people new to crypto have a better user experience.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.

Actually, it's "don't spread FUD & keep up obviously false pretenses of 'computer illiteracy' belied by your own ability to post here at all".

Something like a https://rationalwiki.org/wiki/Concern_troll
member
Activity: 138
Merit: 14
Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.
Pages:
Jump to: