Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Author

Topic: Is this trusted sign for Electrum or SCAM? (Read 91 times)

nc50lc
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
Is this trusted sign for Electrum or SCAM?
October 16, 2021, 09:56:53 PM
#3
Quote from: bananahunter67 on October 16, 2021, 05:00:22 AM
It is not pointed out in the documentation as the ThomasV's signature is. I can see it being present on old pages in electrum.org, but when I try to access them, even using the Google Cached option, it is gone.
-snip-
It's still available in the latest version of the website, under "About" section: https://electrum.org/#about

But it's better if you can confirm it somewhere else (like the reply above) other than the same site where the signature and binaries are downloaded from.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18771
Re: Is this trusted sign for Electrum or SCAM?
October 16, 2021, 05:14:11 AM
#2
Quote from: bananahunter67 on October 16, 2021, 05:00:22 AM
But I am concerned as I can not find anywhere on trusted websited the Sombersnight fingerprint: 0EED CFD5 CAFB 4590 6734 9B23 CA9E EEC4 3DF9 11DC
You can confirm this key is correct via SomberNight's GitHub page here: https://gist.github.com/SomberNight/384e77d556da8417ef1b87c8f4209043
You should also be able to find it on your keyserver of choice, such as here: https://pgp.mit.edu/pks/lookup?op=vindex&search=0xCA9EEEC43DF911DC

You can also find all their keys linked to from here: https://github.com/spesmilo/electrum/tree/master/pubkeys

Also verify your download using ThomasV's signature as well to be doubly safe.
bananahunter67
sr. member
Activity: 392
Merit: 265
Re: Is this trusted sign for Electrum or SCAM?
October 16, 2021, 05:00:22 AM
#1
I downloaded the Electrum Wallet on Linux. First, I verified successfully the main key:

Code:
gpg --verify Electrum-4.1.5.tar.gz.ThomasV.asc Electrum-4.1.5.tar.gz
When I tried to verify the release key, though:

Code:
gpg --verify Electrum-4.1.5.tar.gz.sombernight_releasekey.asc Electrum-4.1.5.tar.gz
I got an error:

Code:
gpg: Signature made Mon 19 Jul 2021 10:19:51 PM EEST
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
So I downloaded the key from the Ubuntu Server (although I am using MX Linux, but I am not sure which other server to use and Ubuntu sounded trusted to me):

Code:
gpg --keyserver keyserver.ubuntu.com  --receive-keys 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
After this, when I tried again to verify the signature, I got:

Code:
gpg: Signature made Mon 19 Jul 2021 10:19:51 PM EEST
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0EED CFD5 CAFB 4590 6734  9B23 CA9E EEC4 3DF9 11DC

Is this signature recognized as safe?
I can see that SomberNight is indeed one of the Electrum dev's.
But I am concerned as I can not find anywhere on trusted websited the Sombersnight fingerprint: 0EED CFD5 CAFB 4590 6734 9B23 CA9E EEC4 3DF9 11DC

It is not pointed out in the documentation as the ThomasV's signature is. I can see it being present on old pages in electrum.org, but when I try to access them, even using the Google Cached option, it is gone.

And the other sites I found it cited are hacking sites (like winning from the lottery), a site trying to redirect me to a porn site, etc.. and this makes me very suspicious.
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Jump to: