Verifying the PGP Signature to electrum? - page 2.

hugeblack

legendary

Activity: 2492

Merit: 3612

Buy/Sell crypto at BestChange

Quote from: Thomas29 on December 03, 2023, 02:06:32 AM

To honest in a blunt way. It's only overwhelming it's confusing AF. It seems like the instructions are not in order I guess?

What operating system are you using?
For Windows, this explanation is brief ---> https://www.youtube.com/watch?v=TzOHLL_dKCM
For Linux there is one code you can use which is explained ---> https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
Follow the instructions and take a screenshot if nothing works (make sure to hide sensitive information)

Thomas29

member

Activity: 100

Merit: 33

Quote from: nc50lc on December 03, 2023, 01:30:35 AM

Quote from: Thomas29 on December 03, 2023, 12:57:41 AM

I downloaded the signature file next to the electrum download which I'm not sure about that if those are the right files in right order. I made a keypair but it mentions a private key?

The guide is pointing to your GPG/PGP private key, it's basically the "secret" part of the keypair that you've created which consists of a private and public key.
It has no relation to Bitcoin's private key.
Since you now have a keypair, you can now proceed to import Electrum developers' public keys.

If the provided tutorials are overwhelming, try this simple one: bitcoinelectrum.com/how-to-verify-your-electrum-download/

To honest in a blunt way. It's only overwhelming it's confusing AF. It seems like the instructions are not in order I guess?

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: Thomas29 on December 03, 2023, 12:57:41 AM

I downloaded the signature file next to the electrum download which I'm not sure about that if those are the right files in right order. I made a keypair but it mentions a private key?

The guide is pointing to your GPG/PGP private key, it's basically the "secret" part of the keypair that you've created which consists of a private and public key.
It has no relation to Bitcoin's private key.
Since you now have a keypair, you can now proceed to import Electrum developers' public keys.

If the provided tutorials are overwhelming, try this simple one: bitcoinelectrum.com/how-to-verify-your-electrum-download/

Thomas29

member

Activity: 100

Merit: 33

I'm new to cryptocurrency in general but...

I downloaded the signature file next to the electrum download which I'm not sure about that if those are the right files in right order. I made a keypair but it mentions a private key? Do I download the electrum file before or after verifying the PGP signature or do I only download the file next to it that says "signature" on the oiffical website?

"If you already have a private key that can be used to certify other people's keys, you can import it at this time."

I've needed to learn PGP encryption for anything in my life until now so any help is greatly appreciated more than one can realize lol.

Stalker22

legendary

Activity: 1484

Merit: 1355

Quote from: Thomas29 on December 01, 2023, 04:45:57 PM

~
It'd simply be the pain in the ass of removing the software that's corrupted on the computer it was used on if I'm not mistaken?

Yeah, removing corrupted programs is a pain, but it is nothing compared to the nightmare of losing all your coins for good. If that messed up software wiped out your wallet, leaving you with zero balance - now that would really suck! Thats like the worst case scenario when it comes to crypto fails. Utter agony. So while removing crappy corrupted stuff is annoying, be grateful it is not as bad as it could be.

khaled0111

legendary

Activity: 2506

Merit: 2832

Top Crypto Casino

Quote from: Husires on December 02, 2023, 08:02:56 AM

electrum PGP Signature verification ensures that you have not downloaded electrum from an unknown source, which is often a scam, which means that once you install the application, connect the hardware wallet and click on the message signature button, they may be able to access all of your coins, modify the balance before signing, and show false data.
as we can know how this scam app works, but it will inevitably lead to you losing all or part of your balance, so try to verify the signature to ensure that you have downloaded the correct electrum.

You are correct. PGP signature ensure the authenticity of a file or a message. If I send you a signed message, you can verify it to be sure it was me who sent it.
However, even if you download a fake app and connect your hw device to it, It won't be able to access your coins. It can change some data like the recipient address and the sent amount but it still need your confirmation to sign the transaction. All the information will be displayed on your hw device screen before you click on the confirmation button to sign the transaction and approve it.

Husires

legendary

Activity: 1582

Merit: 1284

Quote from: Thomas29 on December 01, 2023, 04:45:57 PM

Okay it says I need to make my own PGP public key but doesn't explain how exactly so maybe I did that wrong idk? Out of curiosity of I use a hardware wallet like ledger nano s via electrum desktop app that is has not had PGP verification and worse case scenario no one can technically access my bitcoin that's on my hardware wallet. It'd simply be the pain in the ass of removing the software that's corrupted on the computer it was used on if I'm not mistaken?

electrum PGP Signature verification ensures that you have not downloaded electrum from an unknown source, which is often a scam, which means that once you install the application, connect the hardware wallet and click on the message signature button, they may be able to access all of your coins, modify the balance before signing, and show false data.
as we can know how this scam app works, but it will inevitably lead to you losing all or part of your balance, so try to verify the signature to ensure that you have downloaded the correct electrum.

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: Thomas29 on December 01, 2023, 04:45:57 PM

Out of curiosity of I use a hardware wallet like ledger nano s via electrum desktop app that is has not had PGP verification and worse case scenario no one can technically access my bitcoin that's on my hardware wallet.
It'd simply be the pain in the ass of removing the software that's corrupted on the computer it was used on if I'm not mistaken?

Yes, by design, your private keys are contained in your Ledger Nano S.
The created Electrum wallet with it only contains its "extended public key" which can only derive public keys to addresses.
Worst case, your privacy is at risk, not that using an SPV wallet like Eletrum is private in the first place.

However, an unverified fake Electrum app may trick you to send to a different address or anything that'll change the transaction's data before you sign it with your hardware wallet.
That's still dangerous if you do not pay attention during verification of the address and amount shown in your Ledger's screen.

So try to verify Electrum even if you find it hard to accomplish.
If you came across any errors, report it here so we can tell you what went wrong during the process.

Husna QA

legendary

Activity: 2254

Merit: 2852

#SWGT CERTIK Audited

Quote from: Thomas29 on December 01, 2023, 02:38:45 PM

I haven't verified a PGP signature in a long time so I guess I'm doing something wrong. But I was hoping I can get a fresh view on how I can go about it or is the official walkthrough the best and easiest way to go about and I should just re-read and attempt it over again to figure out what I did wrong?

What OS did you use to install Electrum?

Make sure you download it from the official site: https://electrum.org/#download; https://download.electrum.org
and also check whether the PGP signature matches the public key or fingerprint of one of the developers, for example, ThomasV:
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

Below is an example of verifying a PGP signature from an Electrum wallet using Windows OS:

- Download Primary key fingerprint ThomasV.
- Go to the directory where the Electrum and signature files have been downloaded
- Verification

The following is an example of a screenshot:

Quote from: Husna QA on December 09, 2020, 07:26:06 PM

For MacOS, there are only slight differences; you can see the following example:

Quote from: Husna QA on April 02, 2021, 12:34:00 AM

khaled0111

legendary

Activity: 2506

Merit: 2832

Top Crypto Casino

Quote from: Thomas29 on December 01, 2023, 04:45:57 PM

Okay it says I need to make my own PGP public key but doesn't explain how exactly so maybe I did that wrong idk?

Which one of the above mentioned tutorials did you follow and what error message are you getting so we can help you? Creating your own key-pair isn't supposed to be that hard but it depends on the tool you are using.

Quote

Out of curiosity of I use a hardware wallet like ledger nano s via electrum desktop app that is has not had PGP verification and worse case scenario no one can technically access my bitcoin that's on my hardware wallet. It'd simply be the pain in the ass of removing the software that's corrupted on the computer it was used on if I'm not mistaken?

Technically, even if you download a fake copy of Electrum it won't be able to steal your coins from your hardware wallet without your permission. It doesn't have access to your wallet's private keys to sign transactions.

Thomas29

member

Activity: 100

Merit: 33

Okay it says I need to make my own PGP public key but doesn't explain how exactly so maybe I did that wrong idk? Out of curiosity of I use a hardware wallet like ledger nano s via electrum desktop app that is has not had PGP verification and worse case scenario no one can technically access my bitcoin that's on my hardware wallet. It'd simply be the pain in the ass of removing the software that's corrupted on the computer it was used on if I'm not mistaken?

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Go though this guide:

[GUIDE] How to Safely Download and Verify Electrum [Guide]

Or this:

Quote from: https://electrum.org/#download

In order to be able to verify GPG signatures, you need to import the public key of the signer. Electrum binaries are signed with ThomasV's public key. On Linux, you can import that key using the following command: gpg --import ThomasV.asc. Here are tutorials for Windows and macOS. When you import a key, you should check its fingerprint using independent sources, such as here, or use the Web of Trust.

Marvelman

full member

Activity: 994

Merit: 137

★Bitvest.io★ Play Plinko or Invest!

I'm not sure, but I don't think you can verify PGP signatures with Electrum. You'll need software like GnuPG or VeraCrypt to do this.

The process is relatively simple:

Quote

1. You download the public key (.asc file) of the software author.
2. Check the public key’s fingerprint to ensure that it’s the correct key.
3. Import the correct public key to your GPG public keyring.
4. Download the PGP signature file (.sig) of the software.
5. Use public key to verify PGP signature. If the signature is correct, then the software wasn’t tampered with.

https://www.linuxbabe.com/security/verify-pgp-signature-software-downloads-linux

Thomas29

member

Activity: 100

Merit: 33

I haven't verified a PGP signature in a long time so I guess I'm doing something wrong. But I was hoping I can get a fresh view on how I can go about it or is the official walkthrough the best and easiest way to go about and I should just re-read and attempt it over again to figure out what I did wrong?

Topic: Verifying the PGP Signature to electrum? - page 2. (Read 291 times)