-snip-
Sure, but reading OP's posts, he is brand new to using GPG and is importing a single key belonging to ThomasV to verify a single piece of software. He is highly unlikely to be importing other keys at this stage, and even less likely to be using them to build a web of trust since he doesn't know whose keys to trust or even how to sign that he trusts them. Yes, it is a good idea to sign keys once you understand why you should do so (which is explained in the link I gave), but I think forcing him to sign a key when he doesn't understand why is counterproductive to assisting him to safely install Electrum, which is what his ultimate goal here is.
Topic: Problem verifying download's signature (Read 233 times)
I say this is not a big deal because the problem is with one specific application (Kleopatra) for one OS (Windows) and not a problem with gpg --verify command itself.
I concur... Like I said to begin with:
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying! 
It's more of an annoyance than an outright "issue".
EDIT: and even less of a problem now that I saw this post!... I really need to dig through application/utility settings more often! Big thanks to nc50lc for that tip!
However it is another roadblock to users being able to easily verify the downloads. Especially given that most of the "guides" for verifying Electrum on Windows use Kleopatra (and make no mention of ensuring that the .asc and the .exe are named appropriately
-snip-
Sure, but reading OP's posts, he is brand new to using GPG and is importing a single key belonging to ThomasV to verify a single piece of software. He is highly unlikely to be importing other keys at this stage, and even less likely to be using them to build a web of trust since he doesn't know whose keys to trust or even how to sign that he trusts them. Yes, it is a good idea to sign keys once you understand why you should do so (which is explained in the link I gave), but I think forcing him to sign a key when he doesn't understand why is counterproductive to assisting him to safely install Electrum, which is what his ultimate goal here is. Update:-snip-
This is a valid confirmation.As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. You can also verify this here: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it. This is not necessary, but if you wish to do this, then the commands you are looking for are gpg --edit-key and trust. You can read how to do so here: https://www.gnupg.org/gph/en/manual/x334.html.
There are no instructions on Electrum's website notifying people that .asc files' names need to be changed to match the binary file name,
To be fair this is a very new issue (which is a pretty small issue if you ask me) that was introduced simply because they started using multiple signers for the binaries instead of only one so the signature files have to indicate that with a different name.I say this is not a big deal because the problem is with one specific application (Kleopatra) for one OS (Windows) and not a problem with gpg --verify command itself.
I used to have those same issues with kleopatra for detached signature verifies. I find it easier to simply cut and paste the signature file and name it sig on my Desktop. This way I don't have to fart around with name changes at all. It is simple by design. When you download the actual Electrum file it will be named correctly on your Desktop. Then run a fast and simple terminal command:
cd Desktop && gpg --verify sig "filename"
Just replace "filename" with the Electrum version you just downloaded. This is so much easier than always worrying about getting the signature file name EXACTLY correct.
Even if you have only used kleopatra and never command lines; you DO have gpg and kleopatra handles your keys within gpg as a GUI front end . This makes things simple for you sending and receiving emails, etc... Both Linux and Windows can run terminal lines and in this one instance its easier than always manipulating file names ---- just my .02
cd Desktop && gpg --verify sig "filename"
Just replace "filename" with the Electrum version you just downloaded. This is so much easier than always worrying about getting the signature file name EXACTLY correct.
Even if you have only used kleopatra and never command lines; you DO have gpg and kleopatra handles your keys within gpg as a GUI front end . This makes things simple for you sending and receiving emails, etc... Both Linux and Windows can run terminal lines and in this one instance its easier than always manipulating file names ---- just my .02
There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe.
Exactly. I've argued about this before when people were suggesting that Electrum should release file hashes alongside their binaries and PGP signatures. It is always a bad idea to release hashes whether it is alongside signature or just hashes that are signed (like what core does) because it doesn't account for laziness of users and their lack of understanding. I'm sure there are many core users who have the illusion of security while skipping the signature verification.No argument from me. The concern you and ranochigo bring up is quite valid. My only fear that some people will forgo the validation all together if they keep having issues getting the PGP signature to validate. There are no instructions on Electrum's website notifying people that .asc files' names need to be changed to match the binary file name, and most people probably won't take the time to research why they're having trouble. I would venture to guess that most people who are using the GUI PGP apps like Kleopatra are not as familiar with PGP as many of us here.
Apparently I need to re-write my guide on validation to mention that the signature file names need to be changed to match the binary file's name.
There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe.
Exactly. I've argued about this before when people were suggesting that Electrum should release file hashes alongside their binaries and PGP signatures. It is always a bad idea to release hashes whether it is alongside signature or just hashes that are signed (like what core does) because it doesn't account for laziness of users and their lack of understanding. I'm sure there are many core users who have the illusion of security while skipping the signature verification. 
This actually makes a good argument for the method used by the Bitcoin Core development group. The Bitcoin dev team uses PGP to sign a text file full of the SHA256 hashes for the various binary releases. One needs to verify the PGP signed text file, then confirm the SHA256 hash of the desired file matches the binary. It does add a verification step, but at least we wouldn't need to change any file names if we use one of the GUI PGP apps.
As I posted above, their are ways to verify the signatures without changing the names of the files, but I understand that might be intimidating for folks who aren't comfortable with the command line interface.
I rather have people asking questions about how to verify. There is a very common misconception about how to verify the authenticity of their files; where people seems to assume that so long as the hash of their file is the same as the ones that they see on the website, then it is safe. PGP is often a very novel concept for them and most of them wouldn't follow the best practices to validate their downloads. I rather have users going through the longwinded way of doing things than to risk having them having an illusion of their security.As I posted above, their are ways to verify the signatures without changing the names of the files, but I understand that might be intimidating for folks who aren't comfortable with the command line interface.
There is also a problem with the WOT of PGP, and that it concerns the security of the user as well. That is a whole other issue together.
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Yes, I have noticed the same problem on my last verifications, when upgrading to the latest versions.
It does not seem quite right that you have to rename the file, as it stays the same file in content, obviously.
I get the green light when I verify, so I am happy, but these are the things that should make you suspicious of possible malware...
This actually makes a good argument for the method used by the Bitcoin Core development group. The Bitcoin dev team uses PGP to sign a text file full of the SHA256 hashes for the various binary releases. One needs to verify the PGP signed text file, then confirm the SHA256 hash of the desired file matches the binary. It does add a verification step, but at least we wouldn't need to change any file names if we use one of the GUI PGP apps.
As I posted above, their are ways to verify the signatures without changing the names of the files, but I understand that might be intimidating for folks who aren't comfortable with the command line interface.
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Yes, I have noticed the same problem on my last verifications, when upgrading to the latest versions.
It does not seem quite right that you have to rename the file, as it stays the same file in content, obviously.
I get the green light when I verify, so I am happy, but these are the things that should make you suspicious of possible malware...
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
I've stopped using Kleopatra. It's kind of buggy and quite limited given all the control one has using the CLI. It's definitely a good tool for beginners, maybe some day they'll include a dialogue box that allows you to chose the signature file and the binary separately.
These days I've just been using Windows Terminal or PowerShell and using the command line. There's no issue with files of different names; I can open a notepad window and copy/past the commands to check all the dev's signatures. Here's an example I posted a couple of months ago:
Code:
gpg --verify C:\path\to\signature_file.asc C:\some\other\path\to\executable_file_with_a_different_name.exe
Probably not related to the error you have been experiencing... but I've had issues verifying the downloads on Windows using Kleopatra, because the devs have modified the file name structure of the signature files (to include the text 'ThomasV' or 'sombernight_releasekey' or 'Emzy' to indicate which key it was signed with)...
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Which means that the .asc files are now named differently to the .exe file, so the auto-verify doesn't work any more
It's not a HUGE problem... as you can simply rename the .asc file, but it's just annoying!
Update:-snip-
This is a valid confirmation.As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it.
Excellent. Thank you!
According to your original post above, you'll need first need to download and import ThomasV's pgp key. The links posted above will get you the key, save it someplace easily accessible, and name it ThomasV.asc
To import it use --import /path/to/file/ThomasV.asc. Once it's imported you can sign it using --sign 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6. Editing the key the way o_e_l_e_o suggested is a more powerful way to do it, and gives you options for trust level. Using the --sign command automatically sets the trust level to 4 (fully trusted.)
Update:-snip-
This is a valid confirmation.As it states, you have a "Good signature from Thomas Voegtlin." I can confirm that the key you have for him - 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 - matches the key I have for him. You can also verify this here: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc. The reason it tells you "WARNING: This key is not certified with a trusted signature!" is simply because you have not signed ThomasV's key with your own key to tell GPG that you trust it. This is not necessary, but if you wish to do this, then the commands you are looking for are gpg --edit-key and trust. You can read how to do so here: https://www.gnupg.org/gph/en/manual/x334.html.
Update:
Quote
gpg --verify Downloads/electrum-4.1.5.dmg.ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: Signature made Mon Jul 19 11:22:27 2021 PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
The .asc (PGP signature) file for that command was the one downloaded from the Electrum site -- the one that I cannot import into GPG. But if I try to use the one @NeuroticFish kindly provided, which I can import, I get:gpg: Signature made Mon Jul 19 11:22:27 2021 PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Quote
gpg --verify Downloads/ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: verify signatures failed: Unexpected error
gpg: verify signatures failed: Unexpected error
ThomasV key is here: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
That's what I've imported (years ago) into my Kleopatra for Windows. I don't know though how you can import into your tool.
I was able to import this one, thanks! (And I was able to independently verify that it's ThomasV's key).That's what I've imported (years ago) into my Kleopatra for Windows. I don't know though how you can import into your tool.
Then, however...
Quote
Edit: one more tutorial is here: https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594
In that procedure, at this step...Quote
Download the Electrum image file and the associated signature file. Open a Finder window, navigate to the location where you saved the Electrum .dmg file and the .asc signature file, and double click the signature file.
...all that happened was that it imported the key (again, with no apparent harm). What did not happen was what the procedure said would happen:Quote
Mac GPG will launch the verification tool, and compare the .dmg file to the signature file. Once the verification tool has completed its diagnostic it'll pop up a [results window].
Update:
Quote
gpg --verify Downloads/electrum-4.1.5.dmg.ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: Signature made Mon Jul 19 11:22:27 2021 PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
The .asc (PGP signature) file for that command was the one downloaded from the Electrum site -- the one that I cannot import into GPG. But if I try to use the one @NeuroticFish kindly provided, which I can import, I get:gpg: Signature made Mon Jul 19 11:22:27 2021 PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg: aka "ThomasV <[email protected]>" [unknown]
gpg: aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Quote
gpg --verify Downloads/ThomasV.asc Downloads/electrum-4.1.5.dmg
gpg: verify signatures failed: Unexpected error
gpg: verify signatures failed: Unexpected error
[moderator's note: consecutive posts merged]
ThomasV key is here: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
That's what I've imported (years ago) into my Kleopatra for Windows. I don't know though how you can import into your tool.
Edit: one more tutorial is here: https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594
That's what I've imported (years ago) into my Kleopatra for Windows. I don't know though how you can import into your tool.
Edit: one more tutorial is here: https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594
I'm not a mac guy, but afaik this tutorial is pretty well written: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
You may check if you didn't forget anything (like importing ThomasV key).
Thanks, but the first thing I did was try to follow that procedure, which is linked to on the Electrum download page. At this step...You may check if you didn't forget anything (like importing ThomasV key).
Quote
The Electrum site reports his key ID as 0x2bd5824b7f9470e6. Use this value to look up Voegtlin’s public key. Click the GPG Keychain “Lookup Key” button and enter the developer key ID. The[n] click Search.
...I get the result "No keys found."
I'm not a mac guy, but afaik this tutorial is pretty well written: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
You may check if you didn't forget anything (like importing ThomasV key).
You may check if you didn't forget anything (like importing ThomasV key).
Jump to: