Bitcoin Forum

Hello everyone. I was hoping someone could clarify for me why I am getting this message as I'm unsure if it's safe to continue with my electrum download?
Is it normal to have 3 valid signatures?

I have finished the process of verifying electrum using Kleopatra. I used the appropriate file on Kleopatra (downloaded directly from Electrum's official website): ThomasV.asc   

When I click verify on "electrum--4.15-setup.exe.asc" I receive the following message (the top of the message says "All operations completed" with a thick green line) :



Verified ‘electrum-4.1.5-setup.exe’ with ‘electrum-4.1.5-setup.exe.asc’: 3 valid signatures.

Signature created on Thursday, 22 July 2021 10:49:18 PM
With unavailable certificate:
ID: 0x637DB1E23370F84AFF88CCE03152347D07DA627C
You can search the certificate on a keyserver or import it from a file.

Signature created on Tuesday, 20 July 2021 5:20:06 AM
With unavailable certificate:
ID: 0x0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
You can search the certificate on a keyserver or import it from a file.

Signature created on Tuesday, 20 July 2021 4:22:28 AM
With certificate:
Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> (2BD5 824B 7F94 70E6)
The signature is valid and the certificate's validity is fully trusted.

That's because the newer binaries are now signed by three developers: ThomasV, SomberNight and Emzy.
It's mentioned in the download page: https://electrum.org/#download (https://electrum.org/#:~:text=The%20current%20executables%20have%20been%20signed%20by%20ThomasV%2C%20SomberNight%2C%20Emzy.)

You may obtain the other two devs' GPG Key, links in the download page or in Github repo: https://github.com/spesmilo/electrum/tree/master/pubkeys (https://github.com/spesmilo/electrum/tree/master/pubkeys)

The first two are telling you the signatures are valid, but it doesn't know whether it can trust the keys which provided those valid signatures since you have not imported those keys in to Kleopatra. The last signature is both valid and trusted since you have imported ThomasV's key.

As nc50lc has said, you can import the other two keys if you want to be triple sure that you have the legitimate file.

I can also confirm that 0x0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC matches the key I have for SomberNight and 0x637DB1E23370F84AFF88CCE03152347D07DA627C matches the signing key I have for Emzy (Stephan Oeste).

I just tried to import the other two keys from the official Electrum website. SomberNight was successful but I am unsure about Emzy (Stephan Oeste) because the key/fingerprint is very different to my original message & the key you just gave me.

This is the fingerprint I get when looking at the Emzy file in Kleopatra:

9EDA FF80 E080 6596 04F4 A76B 2EBB 056F D847 F8A7


Is it safe to certify this?

Thank you so much for your assistance!

It matches the fingerprint of Emzy' GPG key that I've imported: 9EDA FF80 E080 6596 04F4 A76B 2EBB 056F D847 F8A7
Both public keys from the download page and the repository matches that fingerprint.

Sombernight's is the same as the one in o_e_l_e_o 's reply.

Yes, it is safe.

Emzy uses a number of subkeys within that key. The key fingerprint I have for Emzy is also 9EDA FF80 E080 6596 04F4  A76B 2EBB 056F D847 F8A7.

If you double click on that key in Kleopatra, and then click on "More details...", you should see his signing key with the ID 3152 347D 07DA 627C. This is the key I quoted above and the key which matches the signature your Kleopatra verified in your first post.