Topic: How verify Electrum signature (Read 368 times)
Thank you.
First time verifying and I think i followed the instructions correctly, double checking that this output is OK.
There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:
The primary key fingerprint matches and the signature returned “good”, so that’s what matters. You are fine. There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:
Quote
gpg: Signature made 02/13/19 16:08:30 Central Standard Time
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <[email protected]>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <[email protected]>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
First time verifying and I think i followed the instructions correctly, double checking that this output is OK.
There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:
Quote
gpg: Signature made 02/13/19 16:08:30 Central Standard Time
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <[email protected]>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <[email protected]>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:
Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.
This is not completely accurate. Two conditions must be met:Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.
1. Absence of “Bad Signature” or “Invalid Signature”
AND
2. The key must match the 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 (or 2BD5 824B 7F94 70E6).
Fake signature example:
Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:
Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.
For the record, if the signature was "invalid", Kleopatra would warn you with a big red highlight like this:
"Invalid Signature"... and "Bad Signature"... and in the "show audit log" (or on the commandline), you'd see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org)" [unknown]
gpg: aka "ThomasV" [unknown]
gpg: aka "Thomas Voegtlin" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org)
gpg: aka "ThomasV
gpg: aka "Thomas Voegtlin
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.
For the record, if the signature was "invalid", Kleopatra would warn you with a big red highlight like this:
"Invalid Signature"... and "Bad Signature"... and in the "show audit log" (or on the commandline), you'd see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org)" [unknown]
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org)
This just means that you haven't manually trusted ThomasV's key. The signatures are matching.
Right-click on ThomasV's name and select "Certificate"; Follow the quick steps and his "User-ID" will change from "not certified" to "certified";
Then, do the verification again and it will show a green message.
Right-click on ThomasV's name and select "Certificate"; Follow the quick steps and his "User-ID" will change from "not certified" to "certified";
Then, do the verification again and it will show a green message.
Hello
I downloaded "Kleopatra".
Then i copy "public key" from https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc.
Then i pasted all of them into "Kleopatra" by "certificate import" button:
I got this:
Then i downloaded "electrum-3.3.4-setup.exe" & "electrum-3.3.4-setup.exe.asc" from https://electrum.org/#download
Then i put both of them in the same folder
Then i click on "decrypt/verify" button and choose "electrum-3.3.4-setup.exe.asc".
Finally i got this:
The data could not be verified
Is everything OK or i did something wrong?
Is the signature matches with the files?
I did also the above instruction with "Electron cash" and got the same thing.
I downloaded "Kleopatra".
Then i copy "public key" from https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc.
Then i pasted all of them into "Kleopatra" by "certificate import" button:
I got this:
Then i downloaded "electrum-3.3.4-setup.exe" & "electrum-3.3.4-setup.exe.asc" from https://electrum.org/#download
Then i put both of them in the same folder
Then i click on "decrypt/verify" button and choose "electrum-3.3.4-setup.exe.asc".
Finally i got this:
The data could not be verified
Is everything OK or i did something wrong?
Is the signature matches with the files?
I did also the above instruction with "Electron cash" and got the same thing.
Jump to: