Author

Topic: Problem verifying download's signature (Read 239 times)

copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
August 29, 2021, 11:05:50 PM
#20
-snip-
Sure, but reading OP's posts, he is brand new to using GPG and is importing a single key belonging to ThomasV to verify a single piece of software. He is highly unlikely to be importing other keys at this stage, and even less likely to be using them to build a web of trust since he doesn't know whose keys to trust or even how to sign that he trusts them. Yes, it is a good idea to sign keys once you understand why you should do so (which is explained in the link I gave), but I think forcing him to sign a key when he doesn't understand why is counterproductive to assisting him to safely install Electrum, which is what his ultimate goal here is.
Even if someone is new to using GPG, I would recommend relying on a Web of Trust and/or signed keys. I might compare relying on an unsigned key to be similar to relying on a generic signed bitcoin message that could potentially involve you not being the intended audience of the signor (the signed message is being reused).
HCP
legendary
Activity: 2086
Merit: 4363
August 29, 2021, 04:27:24 PM
#19
I say this is not a big deal because the problem is with one specific application (Kleopatra) for one OS (Windows) and not a problem with gpg --verify command itself.

I concur... Like I said to begin with:
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! Tongue

It's more of an annoyance than an outright "issue".

EDIT: and even less of a problem now that I saw this post!... I really need to dig through application/utility settings more often! Big thanks to nc50lc for that tip! Wink



However it is another roadblock to users being able to easily verify the downloads. Especially given that most of the "guides" for verifying Electrum on Windows use Kleopatra (and make no mention of ensuring that the .asc and the .exe are named appropriately Undecided
legendary
Activity: 2268
Merit: 18771
August 29, 2021, 12:43:30 PM
#18
-snip-
Sure, but reading OP's posts, he is brand new to using GPG and is importing a single key belonging to ThomasV to verify a single piece of software. He is highly unlikely to be importing other keys at this stage, and even less likely to be using them to build a web of trust since he doesn't know whose keys to trust or even how to sign that he trusts them. Yes, it is a good idea to sign keys once you understand why you should do so (which is explained in the link I gave), but I think forcing him to sign a key when he doesn't understand why is counterproductive to assisting him to safely install Electrum, which is what his ultimate goal here is.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
August 29, 2021, 08:10:07 AM
#17
Update:-snip-
This is a valid confirmation.

As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. You can also verify this here: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it. This is not necessary, but if you wish to do this, then the commands you are looking for are gpg --edit-key and trust. You can read how to do so here: https://www.gnupg.org/gph/en/manual/x334.html.
Technically it is not necessary to sign ThomasV's key, but it is a good practice to do so once you are confident you can trust the key. Some people have many keys on their keychain, and it is not outside of the realm of possibilities for someone to have an imposter key on their keychain. Signing keys you know you can trust means there is not the risk that someone later compromises your verification method(s), and if a key does not match what you have signed, it will set off a red flag.
legendary
Activity: 3472
Merit: 10611
August 27, 2021, 10:22:53 PM
#16
There are no instructions on Electrum's website notifying people that .asc files' names need to be changed to match the binary file name,
To be fair this is a very new issue (which is a pretty small issue if you ask me) that was introduced simply because they started using multiple signers for the binaries instead of only one so the signature files have to indicate that with a different name.

I say this is not a big deal because the problem is with one specific application (Kleopatra) for one OS (Windows) and not a problem with gpg --verify command itself.
hero member
Activity: 761
Merit: 606
August 27, 2021, 01:12:20 PM
#15
I used to have those same issues with kleopatra for detached signature verifies.  I find it easier to simply cut and paste the signature file and name it sig on my Desktop.  This way I don't have to fart around with name changes at all.  It is simple by design.  When you download the actual Electrum file it will be named correctly on your Desktop.  Then run a fast and simple terminal command:

cd Desktop && gpg --verify sig "filename"

Just replace "filename" with the Electrum version you just downloaded.  This is so much easier than always worrying about getting the signature file name EXACTLY correct.

Even if you have only used kleopatra and never command lines; you DO have gpg and kleopatra handles your keys within gpg as a GUI front end .  This makes things simple for you sending and receiving emails, etc...  Both Linux and Windows can run terminal lines and in this one instance its easier than always manipulating file names ---- just my .02
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
August 27, 2021, 09:37:46 AM
#14
There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe.
Exactly. I've argued about this before when people were suggesting that Electrum should release file hashes alongside their binaries and PGP signatures. It is always a bad idea to release hashes whether it is alongside signature or just hashes that are signed (like what core does) because it doesn't account for laziness of users and their lack of understanding. I'm sure there are many core users who have the illusion of security while skipping the signature verification.

No argument from me.  The concern you and ranochigo bring up is quite valid.  My only fear that some people will forgo the validation all together if they keep having issues getting the PGP signature to validate.  There are no instructions on Electrum's website notifying people that .asc files' names need to be changed to match the binary file name, and most people probably won't take the time to research why they're having trouble.  I would venture to guess that most people who are using the GUI PGP apps like Kleopatra are not as familiar with PGP as many of us here.

Apparently I need to re-write my guide on validation to mention that the signature file names need to be changed to match the binary file's name.
legendary
Activity: 3472
Merit: 10611
August 26, 2021, 10:38:01 PM
#13
There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe.
Exactly. I've argued about this before when people were suggesting that Electrum should release file hashes alongside their binaries and PGP signatures. It is always a bad idea to release hashes whether it is alongside signature or just hashes that are signed (like what core does) because it doesn't account for laziness of users and their lack of understanding. I'm sure there are many core users who have the illusion of security while skipping the signature verification.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
August 26, 2021, 12:13:47 PM
#12
This actually makes a good argument for the method used by the Bitcoin Core development group.  The Bitcoin dev team uses PGP to sign a text file full of the SHA256 hashes for the various binary releases.  One needs to verify the PGP signed text file, then confirm the SHA256 hash of the desired file matches the binary.  It does add a verification step, but at least we wouldn't need to change any file names if we use one of the GUI PGP apps.

As I posted above, their are ways to verify the signatures without changing the names of the files, but I understand that might be intimidating for folks who aren't comfortable with the command line interface.
I rather have people asking questions about how to verify. There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe. PGP is often a very novel concept for them and most of them wouldn't follow the best practices to validate their downloads. I rather have users going through the longwinded way of doing things than to risk having them having an illusion of their security.

There is also a problem with the WOT of PGP, and that it concerns the security of the user as well. That is a whole other issue together.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
August 26, 2021, 11:50:42 AM
#11
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...

Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more Undecided

It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! Tongue

Yes, I have noticed the same problem on my last verifications, when upgrading to the latest versions.

It does not seem quite right that you have to rename the file, as it stays the same file in content, obviously.

I get the green light when I verify, so I am happy, but these are the things that should make you suspicious of possible malware...

This actually makes a good argument for the method used by the Bitcoin Core development group.  The Bitcoin dev team uses PGP to sign a text file full of the SHA256 hashes for the various binary releases.  One needs to verify the PGP signed text file, then confirm the SHA256 hash of the desired file matches the binary.  It does add a verification step, but at least we wouldn't need to change any file names if we use one of the GUI PGP apps.

As I posted above, their are ways to verify the signatures without changing the names of the files, but I understand that might be intimidating for folks who aren't comfortable with the command line interface.
member
Activity: 60
Merit: 13
August 21, 2021, 04:27:31 AM
#10
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...

Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more Undecided

It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! Tongue

Yes, I have noticed the same problem on my last verifications, when upgrading to the latest versions.

It does not seem quite right that you have to rename the file, as it stays the same file in content, obviously.

I get the green light when I verify, so I am happy, but these are the things that should make you suspicious of possible malware...
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
August 20, 2021, 10:22:21 AM
#9
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...

Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more Undecided

It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! Tongue

I've stopped using Kleopatra.  It's kind of buggy and quite limited given all the control one has using the CLI.  It's definitely a good tool for beginners, maybe some day they'll include a dialogue box that allows you to chose the signature file and the binary separately.

These days I've just been using Windows Terminal or PowerShell and using the command line.  There's no issue with files of different names; I can open a notepad window and copy/past the commands to check all the dev's signatures.  Here's an example I posted a couple of months ago:

Code:
gpg --verify C:\path\to\signature_file.asc C:\some\other\path\to\executable_file_with_a_different_name.exe

HCP
legendary
Activity: 2086
Merit: 4363
August 19, 2021, 09:30:24 PM
#8
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...

Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more Undecided

It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! Tongue
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
August 18, 2021, 07:52:04 PM
#7
Update:-snip-
This is a valid confirmation.

As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it.

Excellent. Thank you!

According to your original post above, you'll need first need to download and import ThomasV's pgp key.  The links posted above will get you the key, save it someplace easily accessible, and name it ThomasV.asc

To import it use --import /path/to/file/ThomasV.asc.  Once it's imported you can sign it using --sign 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.  Editing the key the way o_e_l_e_o suggested is a more powerful way to do it, and gives you options for trust level.  Using the --sign command automatically sets the trust level to 4 (fully trusted.)
legendary
Activity: 2268
Merit: 18771
August 18, 2021, 03:58:13 PM
#6
Update:-snip-
This is a valid confirmation.

As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. You can also verify this here: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it. This is not necessary, but if you wish to do this, then the commands you are looking for are gpg --edit-key and trust. You can read how to do so here: https://www.gnupg.org/gph/en/manual/x334.html.
member
Activity: 266
Merit: 36
August 18, 2021, 03:26:36 PM
#5
ThomasV key is here: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
That's what I've imported (years ago) into my Kleopatra for Windows. I don't know though how you can import into your tool.
I was able to import this one, thanks! (And I was able to independently verify that it's ThomasV's key).

Then, however...
Quote
In that procedure, at this step...
Quote
Download the Electrum image file and the associated signature file.  Open a Finder window, navigate to the location where you saved the Electrum .dmg file and the .asc signature file, and double click the signature file.
...all that happened was that it imported the key (again, with no apparent harm).  What did not happen was what the procedure said would happen:
Quote
Mac GPG will launch the verification tool, and compare the .dmg file to the signature file.  Once the verification tool has completed its diagnostic it'll pop up a [results window].



Update:
Quote
gpg --verify Downloads/electrum-4.1.5.dmg.ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: Signature made Mon Jul 19 11:22:27 2021 PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg:                 aka "ThomasV <[email protected]>" [unknown]
gpg:                 aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
The .asc (PGP signature) file for that command was the one downloaded from the Electrum site -- the one that I cannot import into GPG. But if I try to use the one @NeuroticFish kindly provided, which I can import, I get:
Quote
gpg --verify Downloads/ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: verify signatures failed: Unexpected error

[moderator's note: consecutive posts merged]
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
August 18, 2021, 03:05:39 PM
#4
ThomasV key is here: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
That's what I've imported (years ago) into my Kleopatra for Windows. I don't know though how you can import into your tool.


Edit: one more tutorial is here: https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594
member
Activity: 266
Merit: 36
August 18, 2021, 03:00:50 PM
#3
I'm not a mac guy, but afaik this tutorial is pretty well written: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
You may check if you didn't forget anything (like importing ThomasV key).
Thanks, but the first thing I did was try to follow that procedure, which is linked to on the Electrum download page. At this step...
Quote
The Electrum site reports his key ID as 0x2bd5824b7f9470e6. Use this value to look up Voegtlin’s public key. Click the GPG Keychain “Lookup Key” button and enter the developer key ID. The[n] click Search.
...I get the result "No keys found."
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
August 18, 2021, 02:53:39 PM
#2
I'm not a mac guy, but afaik this tutorial is pretty well written: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
You may check if you didn't forget anything (like importing ThomasV key).
member
Activity: 266
Merit: 36
August 18, 2021, 02:42:32 PM
#1
MacOS 11.5.1
I have PGPTools installed, but I thought showing CLI results would be useful here. In case it's not obvious, I'm not sophisticated w/r PGP.

Code:
~ % gpg --verify Downloads/electrum-4.1.5.dmg.ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: Signature made Mon Jul 19 11:22:27 2021 PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: key 2BD5824B7F9470E6: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: Can't check signature: No public key

~ % gpg --import Downloads/electrum-4.1.5.dmg.ThomasV.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

% cat Downloads/electrum-4.1.5.dmg.ThomasV.asc
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEZpTY3nvo7lYxvtlQK9WCS3+UcOYFAmD1wuMACgkQK9WCS3+U
[... omitted for brevity ...]
7CDdNAheFpE+xz2F3JSeXrWBHnnYP3k/bVMJwSmSgrvxVRzPpfM=
=K00C
-----END PGP SIGNATURE-----
Jump to: