Author

Topic: Verifying signature result with Electrum 3.0.5 (Read 219 times)

HCP
legendary
Activity: 2086
Merit: 4363
January 10, 2018, 11:39:32 PM
#3
I did verifying signature's process with GPG Kleopatra. electrum 3.0.5 verified but GPG said the data could not be verified. Is there any security problem with Electrum 3.0.5?
Please a technical person check it & share results with us.
As I responded to your post in the other thread... this is FINE... it just means that you have not "vouched" or "certified" that ThomasV's key is legit, you can import keys in GPG, but not TRUST them... until you explicitiy trust the key you will see something like:



NOTE: THIS IS A GOOD SIGNATURE! The signature checks out, and the file is signed with the signature... YOU just haven't trusted it yet.


If you "trust" ThomasV... then you can sign the key, saying that you vouch for Thomas and he is legit and all things signed with his key are legit... then you will see something like this:




The important thing is that you DON'T see a red warning like this:


If you see "Invalid Signature" then that is BAD!
newbie
Activity: 6
Merit: 0
Don't run windows, but here is linux

$ gpg --keyserver pgp.mit.edu --search-keys 0x2BD5824B7F9470E6
gpg: searching for "0x2BD5824B7F9470E6" from hkp server pgp.mit.edu
(1)   ThomasV <[email protected]>
   Thomas Voegtlin <[email protected]>
   Thomas Voegtlin (https://electrum.org) <[email protected]>
     4096 bit RSA key 7F9470E6, created: 2011-06-15
Keys 1-1 of 1 for "0x2BD5824B7F9470E6".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 7F9470E6 from hkp server pgp.mit.edu
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg --verify electrum-3.0.5.exe.asc electrum-3.0.5.exegpg: Signature made Mon 08 Jan 2018 00:14:38 GMT using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>"
gpg:                 aka "ThomasV <[email protected]>"
gpg:                 aka "Thomas Voegtlin <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
sr. member
Activity: 1120
Merit: 255
I did verifying signature's process with GPG Kleopatra. electrum 3.0.5 verified but GPG said the data could not be verified. Is there any security problem with Electrum 3.0.5?
Please a technical person check it & share results with us.
Jump to: