Bitcoin Forum

So I'm trying to verify my 3.3.4 installer like a good little bitcoiner and keep running into stupid + weird problems.

Discussing the electrum.org/#download page ->

When I try to grab ThomasV's public key from the top link, I get shunted to some login page for analytics.sumptuouscaptial.com.

When I try to grab ThomasV' public key from the bottom link I get some weird key - in addition to the usual ThomasV key with the verified fingerprint another certificate called "Animazing@gmail.com" comes up with a totally different print.

I'm definitely looking at electrum.org.

When I actually try to decrypt the sig file with the installers, I always get

"Kleopatra: COuld not open file <> for reading: input/output error (218136625)"

I'm getting this result from like 3 versions of Kleopatra including the latest.

What in the world am I doing wrong?

Assuming you mean the main page, one of those links takes me here: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc

I think that's right?

Ya that one. 

C&P into notepad and save as .asc, import.  Right?

Import that key and it comes up as "Animazing@gmail.com" signed 1/15/2013 with the wrong fingerprint.

Somewhich way the ThomasV key with the fingerprint from here:

https://www.youtube.com/watch?v=hjYCXOyDy7Y

Also got imported.

But regardless nothing will decode or verify everything returns this i/o error either a generic one or with this code: 218136625

I've tried this on three different computers now on three versions of kleopatra.  I feel like i'm taking crazy pills.

The sig file has to have the exact same name as the executable file with .asc as the final extension.  
So, just like this:



If you go to the download page on electrum.org, near the top of the page there's link to ThomasV's public key hosted on gnupg.net.
Look for the text "Sources and executables are signed by ThomasV," and click on the link.  It'll take you to this page:
http://keys.gnupg.net/pks/lookup?search=0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6&fingerprint=on&op=index

I've seen Animazing@gmail.com included in ThomasV's public key, so I don't think there's anything wrong there.

Okay okay I swear I'm not trolling ->

If I am my desktop and point Chrome (desktop PC, not really secure, no BTC here) at that keys.gnupg.net link I get the right info with the ThomasV public key.

If I point my laptop (brand new clean laptop, where I'm trying to install electrum) at that site, I get shunted to something called analytics.sumptuouscapital.com with a plain generic login page and a link to a web analytics company called "matomo"

http://keys.gnupg.net/pks/lookup?search=0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6&fingerprint=on&op=index

I know this is the right page but it will seriously *not* come up..  ??? ???

Okay so I dunno what but if I use a different browser I don't get shunted to the analytics page..

Thanks for the info about the precise file name I didn't realize that.

Any idea what i/o error 218136625 means?

I get this when clicking the ID link? http://keys.gnupg.net/pks/lookup?op=get&search=0x2BD5824B7F9470E6

I should say I haven't verified the signature for electrum as whenever I run it on Windows my AV tells me who signed it (I think it's the AV anyway).

https://www.google.com/amp/s/amp.reddit.com/r/GnuPG/comments/2q73b6/verifying_gnupg_itself/ an issue with the files probably as this seems to suggest an error occurs while someone updates the gpg software and tries to test the signature of the update ;D. One of the reasons I trust hashes more than signatures in this case. I find it more likely that 7zip and other hash processors will be compromised compared to the gpg software (there's more at stake with gpg).

Thanks I'm not sure why that one web browser keeps getting shunted to that page but I got the right key imported.


LOL.  Honestly I never thought I'd be so paranoid about installing anything before.  I'm *not* naive when it comes to computer security I can imagine *so many* attack vectors I'm scared of everything.

Not sure realistic some of them are, but BTC is a ripe, ripe target ya know.

Yeah, trying to follow the http ://keys.gnupg.net... link also redirects me to the https ://analytics.sumptuouscapital.com... page ??!? :o ???

Very strange... I suspect some sort of DNS issue somewhere along the line... possibly because my local router is configured to use OpenDNS? ???

Just FYI, out of all the GPG keyservers that are listed when you search "gpg keyserver" on Google, the most reliable I've found seems to be: https://keyserver.ubuntu.com/ Most of the others return errors :-\

#1 make sure you are at https://electrum.org type it in manualy

#2 make sure that when saving the signature to switch to save as All File Types and if the name is ending in .txt erase it before saving
     once saved it should have a blue lock icon and it will work then

#3 try and use ThomasV signature if possible for your OS/version to be extra safe. otherwise make damn sure that the sig attached is in official safe list
     before checking it.

Animazing was a developer who contributed to electrum in the past. He used to sign the windows releases.

Here's (https://bitcoinelectrum.com/how-to-verify-your-electrum-download/) a guide to verifying the sig with kleo.

Don't copy paste the signature or the public keys. Instead use your browser's save file function.

Hi!
I have just started to upgrade Electrum wallet.

1. Why sign is other? Why ThomasV's key in 3.3.4 is different than in 3.3.3?
Was https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
Now is https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
Wtf?

2. Who is "animazing"?

3. Is Electrum.org hacked?
I don't trust Electrum anymore!

https://i.imgur.com/0WMpwk7.png

4. Anybody know, what is going on?

Did you even read the thread?

I know you are that gut which *for some reason* simply hates signatures and loves hashes, but can you stop with the trolling? That’s just pure ignorance.