Author

Topic: How do I verify downloaded electrum using signature files? (Read 9335 times)

legendary
Activity: 3472
Merit: 10611
~
The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

these key servers sometimes go down for different reasons. high load, DDoS maybe, or maintenance or something like that. but i have experienced downtime with pgp.mit.edu multiple times. and it is easy to check if it is up or down, just open the link like this:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
and you will see a warning saying it is down. (well it currently is up as i am writing this).
legendary
Activity: 1372
Merit: 1252

tl;rl
1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6
2.sudo gpg --fingerprint 0x2BD5824B7F9470E6
3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
 are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate.  

-0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends
-ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above
gpg: Good signature from "Thomas Voegtlin  should be displayed after step 3. if not then do more due diligence.

How to verify a download:
https://bitcointalksearch.org/topic/m.17346941
https://www.torproject.org/docs/verifying-signatures.html.en

I agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit.  We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up.  perhaps the donation requirement for post replies, or the negative experiences of experienced users  have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help.


The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Im not sure if this:

gpg --keyserver pgp.mit.edu --recv-keys 7F9470E6 would have worked? maybe you had to do use 7F9470E6 instead of 0x2BD5824B7F9470E6 or maybe it was because of the keyserver... anyhow, this is how it went:

1) download the latest .tar file on the Electrum site
2) do "gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6" on the folder which must contain the signature file + the .tar file
3) untar file
4) "python3 electrum" inside the Electrum folder, this will run Electrum live through python

That is all.
full member
Activity: 1274
Merit: 105
Should I use gpg4win (https://www.gpg4win.org/) to verify signature in Windows ?
newbie
Activity: 11
Merit: 0
I'm using Ubuntu, here what I have done:

wget https[Suspicious link removed].asc
wget https[Suspicious link removed]

Following a post from reddit
I did

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
gpg: requesting key 7F9470E6 from hkp server pool.sks-keyservers.net
gpg: key 7F9470E6: "Thomas Voegtlin (https://electrum.org) <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gpg --fingerprint
-----------------------------------
pub   4096R/7F9470E6 2011-06-15
      Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
uid                  Thomas Voegtlin (https://electrum.org) <[email protected]>
uid                  ThomasV <[email protected]>
uid                  Thomas Voegtlin <[email protected]>
sub   4096R/2021CD84 2011-06-15

gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exe
gpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD
gpg: Can't check signature: public key not found


So what should I do next ? Thank
tl;rl
1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6
2.sudo gpg --fingerprint 0x2BD5824B7F9470E6
3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
 are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate. 

-0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends
-ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above
gpg: Good signature from "Thomas Voegtlin  should be displayed after step 3. if not then do more due diligence.

How to verify a download:
https://bitcointalksearch.org/topic/m.17346941
https://www.torproject.org/docs/verifying-signatures.html.en

I agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit.  We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up.  perhaps the donation requirement for post replies, or the negative experiences of experienced users  have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help.
newbie
Activity: 7
Merit: 0
Hi everyone, sorry to bring this up again, I'm new to bitcoin and i'm trying the following command...

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

and getting the following error:

gpg: keyserver receive failed: Server indicated a failure

Does anyone know what this means?

Thanks
full member
Activity: 302
Merit: 100
let me translate:
Code:
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out
gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys.

Wink

if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys.
https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature
https://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted


Thank-you, and everyone else who has helped me.









legendary
Activity: 3472
Merit: 10611
let me translate:
Code:
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out
gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys.

Wink

if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys.
https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature
https://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted
HCP
legendary
Activity: 2086
Merit: 4363
It is saying it is not certified by a trusted signature. This is fairly normal... it just means that none of your Trusted signatures has vouched for Thomas' signature.

PGP signatures work on a "web of trust"... for instance: Person A trusts you... You vouch for Person B... therefore Person A will trust Person B because you vouched for them. At the moment, no-one you trust (including yourself) has vouched for Thomas' signature, so you get the warning that the key is not certified... even though it is definitely the one used to sign the file (The "Good Signature" message)
full member
Activity: 302
Merit: 100
the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.
Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc...


How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?
Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it.

PROGRESS

Code:
gpg: Signature made Thu Aug  3 10:16:45 2017 -03 using RSA key ID 7F9470E6
gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-09-11
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6


It says that the signature is valid now, but there is no indication that the signature belongs to the owner.  Right clicking on the link, did the trick as far being able to read the asc file. This time when I executed the command, it imported one of Thomas's keys from 2011... Not sure if that's correct, you can see exactly what happened from my command above.

Thanks again
HCP
legendary
Activity: 2086
Merit: 4363
the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.
Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc...


How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?
Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it.
full member
Activity: 302
Merit: 100
p.s. with a closer look your .asc file content does not look correct either.
You're right... it looks like the OP has actually copied the text from the "Windows Standalone Executable" signature file: https://download.electrum.org/2.9.3/electrum-2.9.3.exe.asc !!?!



O.k.

I recopied the correct (electrum-2.9.2.dmg.asc)  signature file into a text file and tried both with a .sig and .asc ending, and still getting the same error. Originally I had accidentally had the signature file 2.9.3 which was the beta version.

gpg finds electrum-2.9.2.dmg.sig file but it appears it does not recognize it as valid Opengpg data.

Like I said, i tried both with a .sig and .asc ending. How does the [email protected] PUB key I downloaded from the key server play into this, if in anyway?

What else could I be doing wrong?



the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.


thanks again


P.S. Could it be that I am using pgp tools and not GnuPG? Does something maybe need to be changed in the signature file, like the heading maybe?
HCP
legendary
Activity: 2086
Merit: 4363
p.s. with a closer look your .asc file content does not look correct either.
You're right... it looks like the OP has actually copied the text from the "Windows Standalone Executable" signature file: https://download.electrum.org/2.9.3/electrum-2.9.3.exe.asc !!?!
legendary
Activity: 3472
Merit: 10611
Code:
gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg

Code:
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

i believe the gpg is looking for a file with a .sig or .asc type for the signature and you are giving it a .txt file containing the same thing.
try renaming the file and remove the .txt from the end:
Code:
mv electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg.asc

then check with gpg


p.s. with a closer look your .asc file content does not look correct either.
https://download.electrum.org/2.9.2/electrum-2.9.2.dmg.asc
Code:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZgyI9AAoJECvVgkt/lHDm/PMP/A32LeuqSOD3iSGlbUJ9bT+Y
Lwsz3A7Z6CkqvKgLh3+IZkhJzqixBsZ4j4tH6moTCqmbnlAUSe5hCwMRBocj6AIZ
/KLbWRPqXMGmZqPXKZmbVD5GrNBNq0YOXo6YaoPFYu4K7Vd1kxYEVL7XYfj7qhyr
UEs+S5kngeEYn+WCixlODjsqPzKX4e77ouq/FY/bec900lSZMRHq31jBOfVGR5ow
QRlP2JBLKIQpJNSKxtKInhNQ1lSX/F5OvhdWxROPPJclxZTphkDKX76WyqRqIlWs
CvHHLzAJIovzMW0PiZd9YSDv8WFm5frh/xqWFSPkYaJrsTnFzHidP2X0M+T83EYX
yu998/n5B1ACvW346JnuEKVMqWf/mKjLkgkm39HZU4RZlMfuofYDDTd/JqDgQFqk
Q6Kzf9BYiXn0ZzcVZz27LPM6EGCRcvdnmNPGErTjt4CcN5+E11k4E76dFweHPbow
6Pq5y7Hf/WYglEqaFgSOpo6AbqKbDI9YpKQSROz4HGIqGS8Xhp2EBVHRQksL6AsS
STltKisEMmNWLu41zkZczuE8el1RP/fpyuiCobCVPeQmeh+Pasi3oNFAY4TkR45L
ms20BWF9iLUJAd6tKWcH+kbx0FFyr9pihP98nrlljGH+nBkt4vGseK5V5c29vFCZ
UBN0IFw7G3KEGbtrehFe
=TCRU
-----END PGP SIGNATURE-----
full member
Activity: 302
Merit: 100
I have a mac and I am having trouble verifying the electrum wallet signature. I followed instructions as best as possible according to this post.


I have downloaded the [email protected] public key issued on June 14th, 2017

Key ID: 0451C3EF

Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7  32EB 4A5A 7F6F 0451 C3EF


I copied all the text on the signature file from the electrum.org site and saved it as: electrum-2.9.2.dmg.asc.txt and then placed it in the same folder as electrum-2.9.2.dmg

the contents of the signature file are:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em
ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx
1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC
axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan
fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk
7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY
CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4
zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci
PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar
ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/
Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD
577hMthTTwWAlU9B0nke
=YtfS
-----END PGP SIGNATURE-----

then in terminal I exectued the following command:

Code:
gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg


here is the output i got:

Code:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.


Can anyone tell me what I am doing wrong.


Thank-you in advance
full member
Activity: 302
Merit: 100

How do I verify the Electrum download and signatures on a Mac?



Similar as example above, but do it for the dmg files:

Open a terminal window (CMD + space bar, type Terminal --> Enter)

Code:
gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg

If for some reason you don't have gpg installed on your system, you can always download a very nice suite (which integrates well with Mail, btw - to encrypt or sign Emails, and manage private/public keys ...)  from https://gpgtools.org.

Example:

Code:
     gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg
gpg: Signature made Tue Mar 21 10:42:38 2017 PDT using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [ultimate]


hey guys,

I am also trying to verify the electrum signature of my mac but I am getting an error.


here is what I have done:

i have dowloaded the [email protected] private key.

Key id: 0451C3EF

Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7  32EB 4A5A 7F6F 0451 C3EF

Created: June 14, 2017 at 10:08 AM

i copied the entire contents of the signature file that is on the electrum.org file to a text file and named it 'electrum-2.9.2.dmg.asc.txt' and it is the same folder as the 'electrum-2.9.2.dmg' file.

then in terminal i typed the following.


'gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg'

Terminal's response is the following


gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.



What I am doing wrong?













gpg:                 aka "ThomasV " [ultimate]
gpg:                 aka "Thomas Voegtlin " [ultimate]

member
Activity: 138
Merit: 14
Stop replying to my posts, teen-ager.

I am not talking about myself, but all future visitors to electrum. Bitcoin's not worth $200 any more, and people who put their $$ into btc wallets deserve to understand better what they are supposed to do.

Don't answer my posts anymore Margarine. I need to hear from people whose minds have been on this planet longer than 16 years.
member
Activity: 138
Merit: 14

Actually, it's "don't spread FUD & keep up obviously false pretenses of 'computer illiteracy' belied by your own ability to post here at all".

Something like a https://rationalwiki.org/wiki/Concern_troll

Listen Butterball. I don't know if you're actually 16, or only post with the sophistication of a teen-ager.

But someone who uses the internet only as an end user, goes to a few interent pages at their desktop computer, maybe downloads a program once or twice a year to their hard drive, well maybe one day this person decides to join the crypto enthusiasts and buys some bitcoin. He/she deposits bitcoin at an exchange, and then reads several people warning to get their coins off exchanges, maybe buy a  hardware wallet, or download Electrum to their hard drive so they can control their private keys.

So this person comes to Electrum download site, and sees Windows or Mac download, and next to it, something called a signature - something they've never seen before.

What do you think this person will think when they see the gibberish of a signature?

They will say -"If Electrum put it up there, it must be important. But what is this gobbly-gook, what do I do with it - I'm just an internet end-user who has never seen such a thing? How come there are no instructions? Is this signature critical to use electrum? Will my money be at risk if I don't use it?"


What kind of a way is this to treat newbies when they come to download something as important as a wallet that will control their money?


And all you can worry about is your pride? How goddamn thin skinned are you?

Tell whoever is in charge of the download are, to find a way to explain to people what a signature is, and whether it's important enough to be required. Because if people see it up there, they are going to assume it must have been put up for a reason, and not as a decoration.

Now stop worrying about your thin skin, and do something to help people new to crypto have a better user experience.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.

Actually, it's "don't spread FUD & keep up obviously false pretenses of 'computer illiteracy' belied by your own ability to post here at all".

Something like a https://rationalwiki.org/wiki/Concern_troll
member
Activity: 138
Merit: 14
Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
This is what I get when hitting the version 2.9.3 Windows Standalone Executable file signature.

Actually, after some research, I went to gpgtools.org and downloaded some .dmg file (GPG_suite-2016.10v2.dmg)

But my computer didn't open it.

It says "macOS" no less than 5 times on https://gpgtools.org/

Do you know the difference between macOS & Windows? The first is a pleasurable operating system to use, the other is a daily mind-raping nightmare that can't even be legitimately called an operating system. Why are you trying to run macOS software on Windows? How are you even able to post on the internet?

http://lmgtfy.com/?q=gpg+software+for+windows
member
Activity: 138
Merit: 14
So I watched the Kleopatra video you linked, and seriously, to me it was the equivalent of going to have my car repaired, and the mechanic telling me "do I have to spoon feed you everything? Here is a video on how to change your timing belt, now GTFO and go do it yourself, you lazy loser"

Bottom line - Electrum is an excellent, user friendly wallet.

But if you want to check the integrity of the download files, you need to take a several hour course (maybe tens of hours if you are a true newbie starting from scratch)  in digital signatures and how to verify them

Just putting the signatures up on the Electrum site near the files, and leaving them there with no more info, is confusing, to say the least, to many people. Unless you have deep computer/software knowledge, you can't properly verify the integrity of the Electrum files, and you might be better off trusting exchanges or 3rd parties to hold your money, rather than downloading corrupted files and watch your money disappear.
member
Activity: 138
Merit: 14
"Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files?"

Actually, after some research, I went to gpgtools.org and downloaded some .dmg file (GPG_suite-2016.10v2.dmg)

But my computer didn't open it.

More research led to a "howtogeek" webpage which suggested I download either 7-Zip or DMG extractor to open my files.

So up to now, I need to download 2 files (hoping my antivirus stops any malware with these files) in order to begin the process of signature verification, which I guess will help validate that the Electrum files are genuine (?).

Good grief, I am lost.

(BTW, I know you are a conscientious helpful person HCP, just venting at how frustrating this is for a computer illiterate, nothing  meant against you specifically)

HCP
legendary
Activity: 2086
Merit: 4363
Or people could stop being lazy and expect everything to be spoon-fed to them...

Google exists for a reason... there are literally dozens of webpages and the odd video (https://www.youtube.com/watch?v=Go7CBYWosLc windows, https://www.youtube.com/watch?v=h7vboUn3ahI Mac) that explain what the signatures are for and/or how to go about using them to verify that a file is legit...

If people are so concerned about their "$$$", then maybe they should educate themselves and stop being "computer software illiterates". If you have enough time to log onto btctalk and moan about not knowing how to do something and insult people for not dropping everything they're doing to help you, you have enough time to use Google and your brain and go and learn something. Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files?

"Be your own bank" also implies "Be your own security team" Tongue


Besides, checking the signatures is not even mandatory... it is recommended, but isn't required to be able to use Electrum.

Also, as a side note...
- you are being jerks.
I say - F**k the f**king computer world.
Insulting the people you are asking for assistance, probably isn't the best way to get the assistance you desire... #justSaying
member
Activity: 138
Merit: 14
BUMP

If you're going to tell people over and over and over, that you don't own your bitcoins unless you are in control of your private keys, get them off exchanges, get them off custodial services, and then when they come to Electrum to try and do what they're told, you throw these people a curve ball and  show these  signatures out of the blue, which is a pretty complicated business for a newbie, and then just leave them hanging - you are being jerks.

Either take signatures off the website, or explain to newbies what they are for and how to use them!

member
Activity: 138
Merit: 14
This is what I get when hitting the version 2.9.3 Windows Standalone Executable file signature.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em
ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx
1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC
axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan
fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk
7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY
CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4
zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci
PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar
ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/
Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD
577hMthTTwWAlU9B0nke
=YtfS
-----END PGP SIGNATURE-----



I don't know the first f**king thing about what to do to verify whether this is a legit signature.

Why you gotta leave computer illiterates so in the dark is f**king nasty when $$$ are at stake.

Speaking for computer software illiterates everywhere that want to take precautions to safely store their bitcoins, I say - F**k the f**king computer world.


legendary
Activity: 3808
Merit: 1723
Is there anyway to verify the download offline in Ubuntu ?

i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work.
you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file.
and you would need to change the
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
line to something else so that gpg takes the key from your file instead of the server.
i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there.

I did more reading and this should of worked:

gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
echo "6694D8DE7BE8EE5631BED9502BD5824B7F9470E6:6" | gpg --import-ownertrust -



However you need internet access for that or it gives an error.

legendary
Activity: 3472
Merit: 10611
Is there anyway to verify the download offline in Ubuntu ?

i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work.
you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file.
and you would need to change the
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
line to something else so that gpg takes the key from your file instead of the server.
i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there.
legendary
Activity: 3808
Merit: 1723
Is there anyway to verify the download offline in Ubuntu ?
HCP
legendary
Activity: 2086
Merit: 4363
I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app.

Should I ignore the GateKeeper message and install anyways ?
"The cost is 99 USD per membership year." I'm not surprised at all... Tongue

Yes, if you downloaded from the Electrum website and have confirmed that the package is signed with Thomas' key, then the package is unmodified. Go ahead and install it.
jlp
sr. member
Activity: 266
Merit: 264
the same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.

Yes, the following message from my Mac is from GateKeeper:

Quote
“Electrum” can’t be opened because it is from an unidentified developer.

Your security preferences allow installation of only apps from the Mac App Store and identified developers.

“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017.

From Apple https://support.apple.com/en-ca/HT202491:

Quote
For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven't been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed.

I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app.

Should I ignore the GateKeeper message and install anyways ?

legendary
Activity: 3472
Merit: 10611
- to check the signature of a file you need 3 things:
* the file (.dmg file)
* the signature file (.asc file)
* and the public key (7F9470E6)

here are a couple of things that are confusing about GPG and needs translation:

Code:
gpg: Good signature from "Thomas Voegtlin ...
means the signature was correct, aka you have downloaded the right file.

Code:
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
means you have not added the public key (7F9470E6) to your list of trusted keys. you don't have to do this. if you want the warning to go away basically you have to add the key to your list and sign it with your own key.

read this: https://security.stackexchange.com/questions/108471/verifying-a-downloaded-file-with-gpg

the same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.
jlp
sr. member
Activity: 266
Merit: 264
I didn't see any indication from GPG that it verified that the downloaded image was unchanged, in addition to being signed properly?  Did it verify that the downloaded image was unchanged?

I disconnected my Mac from the internet, booted up Mac OS from a bootable USB.

I tried to install electrum-2.8.2.dmg, but my Mac gave me the following message:

Quote
“Electrum” can’t be opened because it is from an unidentified developer.

Your security preferences allow installation of only apps from the Mac App Store and identified developers.

“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017.

Am I correct to assume that I can ignore this and go to Preferences > Security & Privacy > Allow apps downloaded from: Anywhere (or open anyway) ?
legendary
Activity: 3710
Merit: 1586
nerioseole:

Okay.  Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly?

What about all of the other steps mentioned by users xdigital and guitarplinker, such as:

Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Code:
gpg --fingerprint

Can I ignore them?



those steps are for fetching the gpg key but the software you used already did that for you:

Quote
gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <[email protected]>" imported

jlp
sr. member
Activity: 266
Merit: 264
nerioseole:

Okay.  Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly?

What about all of the other steps mentioned by users xdigital and guitarplinker, such as:

Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Code:
gpg --fingerprint

Can I ignore them?

jlp
sr. member
Activity: 266
Merit: 264
nerioseole:

Thanks for your help and suggestions.

I downloaded http://download.electrum.org/2.8.2/electrum-2.8.2.dmg.asc and renamed the file to electrum-2.8.2.dmg.asc.txt.

I installed GPG from gpgtools.org.  I de-selected GPGMail because I don't use Apple's Mail.  I ran GPG and got the following, which is different than what you got.

Code:
$ gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg
gpg: Signature made Tue 21 Mar 13:42:38 2017 EDT using RSA key ID 7F9470E6
gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
$

It seems that the verification failed.  What did I do wrong?

jlp
sr. member
Activity: 266
Merit: 264

How do I verify the Electrum download and signatures on a Mac?

newbie
Activity: 41
Merit: 0
Thank guitarplinker for pointing it out. Got it verified now.
To Abdussamad: I'm have 2 machines, 1 is my main PC running Windows, 1 is Ubuntu server (which is also running a full bitcoin node).
I don't want to install gpg on the Windows machine, So I use Ubuntu.

Here is what I did.
Using the RSA key ID 695506FDfound from the last error, I get Amazing's key by changing the key of the first command.

gpg --keyserver pool.sks-keyservers.net --recv-keys 695506FD
gpg: requesting key 695506FD from hkp server pool.sks-keyservers.net
gpg: key 695506FD: public key "Animazing <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exe
gpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD
gpg: Good signature from "Animazing <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9914 864D FC33 499C 6CA2  BEEA 2245 3004 6955 06FD
legendary
Activity: 3710
Merit: 1586
I'm using Ubuntu, here what I have done:

The .exe file is for windows users. You should follow the instructions for linux and download the source tarball. That is signed by ThomasV.
legendary
Activity: 1694
Merit: 1024
On the Electrum download page, there's a note saying that "Sources are signed by ThomasV. Executables are signed by Animazing". Since you downloaded the executable version of Electrum rather than just the source files, it was signed by Animazing. Here's a link to his PGP key: http://bitcoin-otc.com/viewgpg.php?nick=Animazing

If you import Animazing's key, and then try to verify the signature of the executable, it should check out fine. I just tried it myself, and it verified as it should.
newbie
Activity: 41
Merit: 0
I'm using Ubuntu, here what I have done:

wget https://download.electrum.org/electrum-2.1.1.exe.asc
wget https://download.electrum.org/electrum-2.1.1.exe

Following a post from reddit
I did

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
gpg: requesting key 7F9470E6 from hkp server pool.sks-keyservers.net
gpg: key 7F9470E6: "Thomas Voegtlin (https://electrum.org) <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gpg --fingerprint
-----------------------------------
pub   4096R/7F9470E6 2011-06-15
      Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
uid                  Thomas Voegtlin (https://electrum.org) <[email protected]>
uid                  ThomasV <[email protected]>
uid                  Thomas Voegtlin <[email protected]>
sub   4096R/2021CD84 2011-06-15

gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exe
gpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD
gpg: Can't check signature: public key not found


So what should I do next ? Thank
Jump to: