Bitcoin Forum

Hi Guys

I have downloaded the Windows Installer for the Electrum Wallet from:  

https://electrum.org/#download

and now I want to check the GPG signature, as given in the .asc file for download.  

I am told on the page that the Windows Installer is signed by someone with the nickname Animazing.  If I click on the Animazing link, I get to this page:  

https://bitcoin-otc.com/viewgpg.php?nick=Animazing

Then, if I click on Animazing again, I get to this page:  

https://bitcoin-otc.com/viewratingdetail.php?nick=Animazing&sign=ANY&type=RECV

which gives me this message:

"This user is currently NOT AUTHENTICATED. This user has not authenticated for more than 866 days. If you are currently talking to someone who claims to be this person, you may be talking to an impostor and scammer."

Some questions:

1) Is the "NOT AUTHENTICATED" message above something I should be concerned about?  I am trying to check a signature after all.  

2) If it's not, I still can't see the public key for Animazing.  How am I supposed to work out where to find it?  Someone else has given me a url of where to find it, but how would I work out this for myself, just from the bitcoin-otc.com links given???

Thanks

No.


Click '9914864DFC33499C6CA2BEEA22453004695506FD' under 'fingerprint' in https://bitcoin-otc.com/viewgpg.php?nick=Animazing.

Thanks.  Can you explain why is there no reason to be concerned?  It's telling me Animazing has not authenticated for 866 days.  Why is that not a problem?  

He may not have logged into that account. The PGP fingerprint is still the same. So there is no reason to be concerned.

OK, thank you for that.

On this page:

https://bitcoin-otc.com/viewgpg.php?nick=Animazing

What is meant by a "fingerprint", as given in one of the column headings? 

Thanks

The fingerprint you see is fingerprint of Animazing's public key which is used to verify the PGP key you have is Animazing's.

For example, if Alice wishes to authenticate a public key as belonging to Bob, she can contact Bob over the phone or in person and ask him to read his fingerprint to her, or give her a scrap of paper with the fingerprint written down. Alice can then check that this trusted fingerprint matches the fingerprint of the public key. Exchanging and comparing values like this is much easier if the values are short fingerprints instead of long public keys.

{...}

In addition, fingerprints can be queried with search engines in order to ensure that the public key that a user just downloaded, can be seen by third party search engines. If the search engine returns hits referencing the fingerprint linked to the proper site(s), one can feel more confident that the key is not being injected by an attacker, such as a Man-in-the-middle(MITM) attack.


https://en.wikipedia.org/wiki/Public_key_fingerprint

https://www.nieveler.org/PGP/pgp.htm