|
Title: Verifying signature result with Electrum 3.0.5 Post by: Darooghe on January 08, 2018, 08:24:12 PM I did verifying signature's process with GPG Kleopatra. electrum 3.0.5 verified but GPG said the data could not be verified. Is there any security problem with Electrum 3.0.5?
Please a technical person check it & share results with us. Title: Re: Verifying signature result with Electrum 3.0.5 Post by: Calaveras on January 09, 2018, 12:04:26 AM Don't run windows, but here is linux
$ gpg --keyserver pgp.mit.edu --search-keys 0x2BD5824B7F9470E6 gpg: searching for "0x2BD5824B7F9470E6" from hkp server pgp.mit.edu (1) ThomasV <thomasv1@gmx.de> Thomas Voegtlin <thomasv1@gmx.de> Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> 4096 bit RSA key 7F9470E6, created: 2011-06-15 Keys 1-1 of 1 for "0x2BD5824B7F9470E6". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key 7F9470E6 from hkp server pgp.mit.edu gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --verify electrum-3.0.5.exe.asc electrum-3.0.5.exegpg: Signature made Mon 08 Jan 2018 00:14:38 GMT using RSA key ID 7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" gpg: aka "ThomasV <thomasv1@gmx.de>" gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 Title: Re: Verifying signature result with Electrum 3.0.5 Post by: HCP on January 11, 2018, 04:39:32 AM I did verifying signature's process with GPG Kleopatra. electrum 3.0.5 verified but GPG said the data could not be verified. Is there any security problem with Electrum 3.0.5? As I responded to your post in the other thread... this is FINE... it just means that you have not "vouched" or "certified" that ThomasV's key is legit, you can import keys in GPG, but not TRUST them... until you explicitiy trust the key you will see something like:Please a technical person check it & share results with us. https://bitzuma.com/images/posts/20171128/good-signature.png NOTE: THIS IS A GOOD SIGNATURE! The signature checks out, and the file is signed with the signature... YOU just haven't trusted it yet. If you "trust" ThomasV... then you can sign the key, saying that you vouch for Thomas and he is legit and all things signed with his key are legit... then you will see something like this: https://talkimg.com/images/2023/11/15/zD53N.png The important thing is that you DON'T see a red warning like this: https://bitzuma.com/images/posts/20171128/bad-signature.png If you see "Invalid Signature" then that is BAD! |
