Title: Electrum SHA256 hashes Post by: kostepanych2 on July 14, 2018, 12:15:21 PM Hi,
Where can I find Electrum SHA256 hashes to ensure that downloaded wallet is original and not compromised? I see only signature file on the official site, but signature check procedure is very complex... Title: Re: Electrum SHA256 hashes Post by: TryNinja on July 14, 2018, 02:15:43 PM They don't publish it. You will need to verify the PGP Signature, which is not that hard.
1. Import ThomasV's pubkey: Code: gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6 2. Verify if it's imported: Code: gpg --fingerprint 0x2BD5824B7F9470E6 3. Download the signature file on the website (https://electrum.org/#download). 4. Verify with: Code: gpg --verify signatureFile.asc ElectrumFile.tar.gz Title: Re: Electrum SHA256 hashes Post by: kostepanych2 on July 14, 2018, 02:30:37 PM They don't publish it. You will need to verify the PGP Signature, which is not that hard. When trying to to that I get this:1. Import ThomasV's pubkey: Code: gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6 2. Verify if it's imported: Code: gpg --fingerprint 0x2BD5824B7F9470E6 3. Download the signature file on the website (https://electrum.org/#download). 4. Verify with: Code: gpg --verify signatureFile.asc ElectrumFile.tar.gz Quote gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe What does this warning mean?gpg: Signature made Пaн 02 Лiп 2018 10:12:08 +03 using RSA key ID 7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" gpg: aka "ThomasV <thomasv1@gmx.de>" gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 Title: Re: Electrum SHA256 hashes Post by: bob123 on July 14, 2018, 02:34:45 PM When trying to to that I get this: gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. What does this warning mean? You can safely ignore the warning since the signature does match. The warning appears because you didn't trust TomasV's key yet. For a single verification this is not necessary. The important thing is the Good signature output. Title: Re: Electrum SHA256 hashes Post by: TryNinja on July 14, 2018, 02:35:05 PM When trying to to that I get this: This means that the signature is valid but you don't directly trust the user who generated the key (you didn't set the key as trusted). Quote gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe What does this warning mean?gpg: Signature made Пaн 02 Лiп 2018 10:12:08 +03 using RSA key ID 7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" gpg: aka "ThomasV <thomasv1@gmx.de>" gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 Don't worry, that's not an issue. The file is legit. Title: Re: Electrum SHA256 hashes Post by: kostepanych2 on October 12, 2018, 09:36:52 AM 2. Verify if it's imported: How should I verify that it is correct ThomasV's pubkey?Code: gpg --fingerprint 0x2BD5824B7F9470E6 There should be Key fingerprint = 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6? Can this signature be forged? Can it be possible that fake public key have the same fingerprint = 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6? Title: Re: Electrum SHA256 hashes Post by: Abdussamad on October 12, 2018, 11:35:49 AM 2. Verify if it's imported: How should I verify that it is correct ThomasV's pubkey?Code: gpg --fingerprint 0x2BD5824B7F9470E6 There should be Key fingerprint = 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6? Yep. Quote Can this signature be forged? No you need the private key behind that public key to generate a valid sig. As far as we know only thomas has that and he hasn't been hacked. So if you trust him not to include malware and not to get hacked you can use this software. Alternatively go through the code line by line so that you don't have to trust anyone! Quote Can it be possible that fake public key have the same fingerprint = 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6? Nope. Always compare the long fingerprint as above and not the shortened one (0x7F9470E6) because it may be possible to create another key pair with the same short fingerprint. |