Author

Topic: How do you check fingerprint? (Read 157 times)

legendary
Activity: 2268
Merit: 18711
November 10, 2020, 11:09:40 AM
#7
So what you have done in that video is correct. The Electrum file you download has been correctly signed with the key 6694 D8DE ... 70E6 belonging to Thomas Voegtlin. You have already checked the fingerprint using independent sources, as the key you have imported matches the key that has been provided in this thread and on various links in this thread from multiple independent sources. That copy of Electrum you have downloaded is safe to install and run.

The reason that it says "This key is not certified with a trusted signature!" is because you haven't signed that you trust that key. You can do this using gpg --edit-key and then the command trust. You can read more about this process here: https://www.gnupg.org/gph/en/manual/x334.html. The web of trust would simply be rather you signing ThomasV's key directly, you would sign my key (for example) to say you trust me, and since I have signed ThomasV's key you would therefore indirectly trust ThomasV's key.
member
Activity: 240
Merit: 54
legendary
Activity: 2268
Merit: 18711
November 10, 2020, 06:38:20 AM
#5
See, that's where the problem lays. You're talking to me from a frame of someone who knows about this stuff and thus unintentionally assume I know what 1) pubkey 2) PGP 3) all the other stuff means. 😔
PGP stands for Pretty Good Privacy. It is a system for encrypting and authenticating data.

With PGP, individual users can create key pairs - a private key and a public key. The combination of a private key and some data allows a user to create a signature unique to that data. The combination of that data, the signature, and the original user's public key, allows other users to verify that the signature was created by the owner of the private key.

When the latest version of Electrum is released, the lead developer ThomasV can use his private key to sign it and produce a signature. You, as the end user, then download Electrum and the signature file, and by using his public key can confirm that it was indeed him who signed it.

It is important, therefore, to ensure you are using his real public key, so you know it was definitely him (and not some malicious third party) who produced the wallet software and signature file.

A fingerprint is simply a short string of characters which is unique to a much longer public key, just like a real life fingerprint is a small object which is unique to a much larger object (a person).

Here is another link to ThomasV's PGP key: http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x2BD5824B7F9470E6

You'll see the same fingerprint at the top of the page as both pooya87 and HCP have quoted. If you click on the hyperlink above the fingerprint, it will take you to the full PGP public key.
HCP
legendary
Activity: 2086
Merit: 4361
November 10, 2020, 01:43:16 AM
#4
You can also have a read of the guide here: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

It includes a link to proof of the key fingerprint (as shown in a Youtube video of a slideshow presentation by ThomasV)

So, unless we're all part of a giant conspiracy to defraud the world, you can be fairly assured that ThomasV's PGP publickey fingerprint is:
Code:
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6


>This< is what I've done so far. What are the steps of what I should do nex?
If you did all that, and got the "green message" in Kleopatra or the "Good Signature" message from GPG when verifying the Electrum download, and you can see the fingerprint shown is either:
Code: (full fingerprint)
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
or
Code: (short fingerprint)
2BD5824B7F9470E6

Then you're good to go... and can be assured that the digital signature on the Electrum binary/installer that you downloaded is "OK" Smiley
member
Activity: 240
Merit: 54
November 10, 2020, 01:00:24 AM
#3
you can just read the first 2 paragraphs on Wikipedia page on Web of Trust (https://en.wikipedia.org/wiki/Web_of_trust) to learn what it means. essentially it comes down to you NOT just open the wallet website and get the public key from there (Electrum or any other software) which would be the same place you downloaded the binaries from.
you can already check that the pubkey hash is already posted in multiple places and is 0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 (eg. on electrum docs). you can also check the Electrum GitHub repository to get the same public key (https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc).
also if you have a friend whom you trust and have their PGP pubkey you can ask them to sign Electrum's pubkey with their key and send you the signature so that you can verify if you have the correct Electrum PGP pubkey.

See, that's where the problem lays. You're talking to me from a frame of someone who knows about this stuff and thus unintentionally assume I know what 1) pubkey 2) PGP 3) all the other stuff means. 😔
legendary
Activity: 3472
Merit: 10611
November 10, 2020, 12:43:39 AM
#2
you can just read the first 2 paragraphs on Wikipedia page on Web of Trust (https://en.wikipedia.org/wiki/Web_of_trust) to learn what it means. essentially it comes down to you NOT just open the wallet website and get the public key from there (Electrum or any other software) which would be the same place you downloaded the binaries from.
you can already check that the pubkey hash is already posted in multiple places and is 0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 (eg. on electrum docs). you can also check the Electrum GitHub repository to get the same public key (https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc).
also if you have a friend whom you trust and have their PGP pubkey you can ask them to sign Electrum's pubkey with their key and send you the signature so that you can verify if you have the correct Electrum PGP pubkey.
member
Activity: 240
Merit: 54
November 10, 2020, 12:25:41 AM
#1
First of all, let me just say what an absolute lousy so called tutorial Electrum has on verifying signature. It's already difficult enough for the average person understanding and owning bitcoin and these guys don't make it any better with their one paragraph, horribly written "guide".

It says "When you import a key, you should check its fingerprint using independent sources, such has here or use the Web of Trust." the "here" links you to a 2 hour long seminar on YouTube and the "web of trust" is a Wikipedia link. Like really??? Can you be any lazier???

I had to search for over an hour on Google until I found a proper guide, which was here. But now that last sentence in their 3-sentence-guide threw a wrench into the works.

*How* do you check the fingerprint using independent sources?
I'm using Linux.

>This< is what I've done so far. What are the steps of what I should do nex?
Thanks all!
Jump to: