Bitcoin Forum

Bitcoin => Electrum => Topic started by: Jerboa_81 on October 15, 2021, 01:02:10 PM



Title: Electrum - verifying at least two signatures - I got 1 public key but not others
Post by: Jerboa_81 on October 15, 2021, 01:02:10 PM
Hello Everyone,

I just downloaded Electrum-4.1.5...

I want to verify, with gpg, two signatures (for example ThomasV and Emzy).

I found the public key of ThomasV, that I imported with gpg (gpg --import ...)
I verified the ....ThomasV.asc
And It's OK...
gpg --verify electrum-4.1.5-x86_64.AppImage.ThomasV.asc electrum-4.1.5-x86_64.AppImage

The answer is (in french, sorry):
gpg: Signature faite le lun 19 jui 2021 20:22:33 CEST avec la clef RSA d'identifiant 7F9470E6
gpg: Bonne signature de « Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> »
gpg:                 alias « ThomasV <thomasv1@gmx.de> »
gpg:                 alias « Thomas Voegtlin <thomasv1@gmx.de> »
gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance.
gpg:          Rien n'indique que la signature appartient à son propriétaire.
Empreinte de clef principale : 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6


Now, I want to verify the ....Emzy.asc...
BUT I d'ont find the public key...

The answer for gpg --verify electrum-4.1.5-x86_64.AppImage.Emzy.asc electrum-4.1.5-x86_64.AppImage
is (yes, it's in french):

gpg: Signature faite le jeu 22 jui 2021 14:49:22 CEST avec la clef RSA d'identifiant 07DA627C
gpg: Impossible de vérifier la signature : clef publique introuvable


Is that ok ?  Or must I find the public key for the electrum-4.1.5-x86_64.AppImage.Emzy.asc ?

What must I do ?

Thank You All in advance.


Title: Re: Electrum - verifying at least two signatures - I got 1 public key but not others
Post by: NeuroticFish on October 15, 2021, 01:13:28 PM
On the download page you can find:

Our executables are reproducible, and are signed independently by several builders.

The link from there goes to: https://github.com/spesmilo/electrum/tree/master/pubkeys
And you'll find all the public keys there, including Emzy.


Interestingly on https://download.electrum.org/4.1.5/ I cannot see Emzy's asc, only ThomasV and sombernight_releasekey


Title: Re: Electrum - verifying at least two signatures - I got 1 public key but not others
Post by: adaseb on October 15, 2021, 04:16:17 PM
On the download page you can find:

Our executables are reproducible, and are signed independently by several builders.

The link from there goes to: https://github.com/spesmilo/electrum/tree/master/pubkeys
And you'll find all the public keys there, including Emzy.


Interestingly on https://download.electrum.org/4.1.5/ I cannot see Emzy's asc, only ThomasV and sombernight_releasekey

I just went thru this a few days ago, I couldn't find his key from that directory but if you go to

Quote
https://raw.githubusercontent.com/spesmilo/electrum-signatures/master/4.1.5/electrum-4.1.5-x86_64.AppImage/electrum-4.1.5-x86_64.AppImage.Emzy.asc

Which is basically linked to on

Quote
https://electrum.org/#download

Under Emzy signature for Linux Appimage you should be able to download it. I think he forgot to add it to download.electrum.org but its listed under the github downloads.



I was paranoid too and I verified all 3 signatures and I took ThomasV signature even from 3 different sources to make sure its legit. If you want another method of verifying the file. The sha256sum for electrum-4.1.5-x86_64.AppImage is

Quote
sha256sum electrum-4.1.5-x86_64.AppImage

Quote
21d5017ddf87d75be76a3c736fb547cb5e33399938abd69d82ff66a80de8c13f  electrum-4.1.5-x86_64.AppImage


Title: Re: Electrum - verifying at least two signatures - I got 1 public key but not others
Post by: Jerboa_81 on October 15, 2021, 05:01:51 PM
Hello, Great Thanks NeuroticFish...

I've seen the link before but I was saving the file wrongly....
So, gpg didn't find a gpg key in the file...

I copied, past the key text in a file with nano and it worked.

Thank you.




Hello Adaseb.

I just tested the sha256sum of the app file and it's OK.

Thank You both ;-)