Title: Electrum - verifying at least two signatures - I got 1 public key but not others Post by: Jerboa_81 on October 15, 2021, 01:02:10 PM Hello Everyone,
I just downloaded Electrum-4.1.5... I want to verify, with gpg, two signatures (for example ThomasV and Emzy). I found the public key of ThomasV, that I imported with gpg (gpg --import ...) I verified the ....ThomasV.asc And It's OK... gpg --verify electrum-4.1.5-x86_64.AppImage.ThomasV.asc electrum-4.1.5-x86_64.AppImage The answer is (in french, sorry): gpg: Signature faite le lun 19 jui 2021 20:22:33 CEST avec la clef RSA d'identifiant 7F9470E6 gpg: Bonne signature de « Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> » gpg: alias « ThomasV <thomasv1@gmx.de> » gpg: alias « Thomas Voegtlin <thomasv1@gmx.de> » gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance. gpg: Rien n'indique que la signature appartient à son propriétaire. Empreinte de clef principale : 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 Now, I want to verify the ....Emzy.asc... BUT I d'ont find the public key... The answer for gpg --verify electrum-4.1.5-x86_64.AppImage.Emzy.asc electrum-4.1.5-x86_64.AppImage is (yes, it's in french): gpg: Signature faite le jeu 22 jui 2021 14:49:22 CEST avec la clef RSA d'identifiant 07DA627C gpg: Impossible de vérifier la signature : clef publique introuvable Is that ok ? Or must I find the public key for the electrum-4.1.5-x86_64.AppImage.Emzy.asc ? What must I do ? Thank You All in advance. Title: Re: Electrum - verifying at least two signatures - I got 1 public key but not others Post by: NeuroticFish on October 15, 2021, 01:13:28 PM On the download page you can find:
Quote from: https://electrum.org/#download Our executables are reproducible, and are signed independently by several builders. The link from there goes to: https://github.com/spesmilo/electrum/tree/master/pubkeys And you'll find all the public keys there, including Emzy. Interestingly on https://download.electrum.org/4.1.5/ I cannot see Emzy's asc, only ThomasV and sombernight_releasekey Title: Re: Electrum - verifying at least two signatures - I got 1 public key but not others Post by: adaseb on October 15, 2021, 04:16:17 PM On the download page you can find: Quote from: https://electrum.org/#download Our executables are reproducible, and are signed independently by several builders. The link from there goes to: https://github.com/spesmilo/electrum/tree/master/pubkeys And you'll find all the public keys there, including Emzy. Interestingly on https://download.electrum.org/4.1.5/ I cannot see Emzy's asc, only ThomasV and sombernight_releasekey I just went thru this a few days ago, I couldn't find his key from that directory but if you go to Quote https://raw.githubusercontent.com/spesmilo/electrum-signatures/master/4.1.5/electrum-4.1.5-x86_64.AppImage/electrum-4.1.5-x86_64.AppImage.Emzy.asc Which is basically linked to on Quote https://electrum.org/#download Under Emzy signature for Linux Appimage you should be able to download it. I think he forgot to add it to download.electrum.org but its listed under the github downloads. I was paranoid too and I verified all 3 signatures and I took ThomasV signature even from 3 different sources to make sure its legit. If you want another method of verifying the file. The sha256sum for electrum-4.1.5-x86_64.AppImage is Quote sha256sum electrum-4.1.5-x86_64.AppImage Quote 21d5017ddf87d75be76a3c736fb547cb5e33399938abd69d82ff66a80de8c13f electrum-4.1.5-x86_64.AppImage Title: Re: Electrum - verifying at least two signatures - I got 1 public key but not others Post by: Jerboa_81 on October 15, 2021, 05:01:51 PM Hello, Great Thanks NeuroticFish...
I've seen the link before but I was saving the file wrongly.... So, gpg didn't find a gpg key in the file... I copied, past the key text in a file with nano and it worked. Thank you. Hello Adaseb. I just tested the sha256sum of the app file and it's OK. Thank You both ;-) |