Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Author

Topic: Verify downloaded Electrum executable (Read 258 times)

gerdliebert
newbie
Activity: 2
Merit: 0
Verify downloaded Electrum executable
November 25, 2017, 02:10:09 PM
#3
Wow, that was fast. Thank you for your help, xdrpx !
xdrpx
hero member
Activity: 616
Merit: 603
Re: Verify downloaded Electrum executable
November 25, 2017, 01:12:37 PM
#2
Usually after importing the .gpg and verifying the signatures this would be your output:

Code:
[-pc electrum]$ gpg --verify Electrum-3.0.2.tar.gz.asc Electrum-3.0.2.tar.gz
gpg: Signature made Tuesday 14 November 2017 04:21:16 AM 
gpg:                using RSA key 2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6


This sigifies that your signatures are verified and are good when compared. So you don't have to worry about that. There's a good answer here on how the opengpg trust model works: https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209. The warning there means you need to locally trust the keys. You can do that in terminal by doing the following:

Code:
gpg --trusted-key 0x2bd5824b7f9470e6 --list-keys

or

Code:
gpg --edit-key 0x7F9470E6 trust

This would mark that public key as trusted on your system with the output:

Code:
gpg: key 2BD5824B7F9470E6 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [ultimate] Thomas Voegtlin (https://electrum.org) 
uid           [ultimate] ThomasV 
uid           [ultimate] Thomas Voegtlin 
sub   rsa4096 2011-06-15 [E]

After that if you re-verify the files with the signature you'll seee that the warning is now gone:

Code:
gpg: Signature made Tuesday 14 November 2017 04:21:16 AM
gpg:                using RSA key 2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [ultimate]
gpg:                 aka "ThomasV " [ultimate]
gpg:                 aka "Thomas Voegtlin " [ultimate]





gerdliebert
newbie
Activity: 2
Merit: 0
Re: Verify downloaded Electrum executable
November 25, 2017, 12:17:27 PM
#1
Hi everybody,

I checked some of the posts on verifying the a downloaded Electrum executable but none of them was applicable to my problem.

I have: Windows 7 SP1, downloaded the Windows standalone executable from https://electrum.org/#download

Using GPG4WIN I imported ThomasV's PGP Public Key (ThomasV is listed as the person who signed all files). The result of this import was
Code:
gpg: key 2BD5824B7F9470E6: 74 trusts not checked due to missing keys (in German: 74 Beglaubigungen wegen fehlender Schlüssel nicht geprüft)
gpg: key 2BD5824B7F9470E6: "Thomas Voegtlin (https://electrum.org) and so on ..." not changed
gpg: Total number processed: 1
gpg: unchanged: 1

I continued with checking the Executable's PGP Signature (which was also provided on the above download page). The result was:
Code:
gpg: Signature from .... etc. etc. it all seemed ok. But at the end it was saying:
gpg: WARNING: This key doesn't have a trusted signature!
gpg:          There is no indication that the signature really belongs to the owner given above.
etc. etc.

So what does this all mean?
Is the downloaded executable legit or not?
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Electrum
Jump to: