Author

Topic: How verify Electrum signature (Read 379 times)

newbie
Activity: 11
Merit: 0
April 12, 2019, 12:32:17 PM
#7
Thank you.
legendary
Activity: 2758
Merit: 6830
April 12, 2019, 12:23:47 PM
#6
First time verifying and I think i followed the instructions correctly, double checking that this output is OK.

There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:


Quote
gpg: Signature made 02/13/19 16:08:30 Central Standard Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <[email protected]>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
The primary key fingerprint matches and the signature returned “good”, so that’s what matters. You are fine.
newbie
Activity: 11
Merit: 0
April 12, 2019, 12:19:55 PM
#5
click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg:                 aka "ThomasV <[email protected]>" [unknown]
gpg:                 aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

First time verifying and I think i followed the instructions correctly, double checking that this output is OK.

There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:


Quote
gpg: Signature made 02/13/19 16:08:30 Central Standard Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <[email protected]>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
legendary
Activity: 1848
Merit: 2033
Crypto Swap Exchange
April 12, 2019, 01:45:47 AM
#4
Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg:                 aka "ThomasV <[email protected]>" [unknown]
gpg:                 aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature Wink

Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.
This is not completely accurate. Two conditions must be met:
1. Absence of “Bad Signature” or “Invalid Signature”
AND
2. The key must match the 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 (or 2BD5 824B 7F94 70E6).

Fake signature example:
HCP
legendary
Activity: 2086
Merit: 4363
April 11, 2019, 12:11:53 AM
#3
Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature Wink

Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.




For the record, if the signature was "invalid", Kleopatra would warn you with a big red highlight like this:


"Invalid Signature"... and "Bad Signature"... and in the "show audit log" (or on the commandline), you'd see:
Quote
gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
legendary
Activity: 2758
Merit: 6830
April 10, 2019, 05:51:55 PM
#2
This just means that you haven't manually trusted ThomasV's key. The signatures are matching.

Right-click on ThomasV's name and select "Certificate"; Follow the quick steps and his "User-ID" will change from "not certified" to "certified";
Then, do the verification again and it will show a green message.
sr. member
Activity: 1120
Merit: 255
April 10, 2019, 05:34:44 PM
#1
Hello

I downloaded "Kleopatra".
Then i copy "public key" from https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc.
Then i pasted all of them into "Kleopatra" by "certificate import" button:
I got this:



Then i downloaded "electrum-3.3.4-setup.exe" & "electrum-3.3.4-setup.exe.asc" from https://electrum.org/#download
Then i put both of them in the same folder
Then i click on "decrypt/verify" button and choose "electrum-3.3.4-setup.exe.asc".
Finally i got this:
The data could not be verified



Is everything OK or i did something wrong?
Is the signature matches with the files?

I did also the above instruction with "Electron cash" and got the same thing.


Jump to: