Bitcoin Forum
June 16, 2024, 11:59:07 AM *
News: Voting for pizza day contest
 
  Home Help Search Login Register More  
  Show Posts
Pages: « 1 ... 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 [151] 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 ... 284 »
3001  Bitcoin / Electrum / Re: So I'm assuming I'm fucked on this one right? on: April 17, 2020, 01:35:12 AM
Quote from: dewey246 on April 16, 2020, 11:24:52 PM
I got my money!

Good deal.  

If you want to use Electrum as a desktop wallet you'll need to create a new wallet.  At the prompts choose "Standard wallet," then "Create a new seed."  Make sure to write down the seed phrase on a piece of paper (don't store it digitally,) and store it someplace safe and secure.
3002  Other / Archival / Re: . on: April 16, 2020, 07:44:58 PM
I'll take spot number 4, please.  I'll send payment once you post an address.  Thanks.

Quote from: minerjones on April 16, 2020, 07:48:29 PM
Quote from: DireWolfM14 on April 16, 2020, 07:44:58 PM
I'll take spot number 4, please.  I'll send payment once you post an address.  Thanks.

You got it.
and posted Cheesy

Payment sent, thanks again.

44d4716e48fdfe4ecff7ddea980496fe10a82175fbb6fdc19c5cff5d936a1478
3003  Bitcoin / Electrum / Re: So I'm assuming I'm fucked on this one right? on: April 16, 2020, 07:37:51 PM
Quote from: dewey246 on April 16, 2020, 07:28:26 PM
I checked and have not received any funds. It also gave me a new address for some reason, even though they're not supposed to expire for a week I believe. I can see the money in my Electrum wallet though. Just can't get it tf out of there.

Again, I have no idea whether Empire is legit or not.  It seems every other week someone posts about some issue or another, describing sent funds that never arrive at their intended destination.  After a few posts back and forth it's revealed that it involves some shady shit on Empire.  I don't know, man.

You must have picked up that address from someplace, if it wasn't Empire, check your coinbase account.  You can also do a google search for that address and see what you come up with.

Regardless, of where the address was obtained, if you don't have access to the associated private key, then you don't have access to the money.  Hopefully you sent it to your Empire or Coinbase account, and you can retrieve it from there.  You won't be able to anything with the watch-only wallet in Electrum.
3004  Bitcoin / Electrum / Re: So I'm assuming I'm fucked on this one right? on: April 16, 2020, 04:24:39 PM
Quote from: dewey246 on April 16, 2020, 03:44:29 PM
Quote from: DireWolfM14 on April 16, 2020, 10:31:41 AM
Quote from: dewey246 on April 16, 2020, 02:45:26 AM
I just chose new wallet and then chose watch only. I'm not sure how I was able to create it without having any private or public keys. All I have is a Coinbase account and this, and I sent the money from the Coinbase account to Electrum without realizing I wouldn't be able to change it from watch only to a normal wallet. Because it's a watch only wallet, it does not generate a Seed when creating, so I was never given a 12-word phrase.

Electrum will not allow you to create a watch-only wallet without a key or an address.  "Watch Only" isn't an option that's given when creating a new wallet.  It does provide options to enter previously generated keys or addresses, and then Electrum determines whether to create a live wallet or a watch-only depending on the nature of the key.  At the very least you would have needed a bitcoin address to create a watch only wallet.  Where did you obtain that address?  From your coinbase account?

If you are sure you've downloaded the authentic Electrum software and not a malicious clone (see here), you might want to re-trace your steps by creating another wallet, and try to remember what you did the first time.

I don't believe I selected watching only actually, I think I may have selected "import Bitcoin Addresses or private keys". I downloaded it from https://electrum.org/#download (Mac OS X under sources and binaries). The receiving address I thought was generated when I created the account, but I just tried retracting my steps like you said and I believe I may have used the receiving address generated for me on Empire when it asked me to input bitcoin addresses. Of course now I know this does not make sense, but at the time I thought I was entering the address I'd be depositing money into. Newbie mistakes of course.

I don't use empire, so I have no idea how that works, but it sounds like you may have sent the money to your account there.  Did you check your empire account to see if it received the funds?
3005  Bitcoin / Electrum / Re: So I'm assuming I'm fucked on this one right? on: April 16, 2020, 10:31:41 AM
Quote from: dewey246 on April 16, 2020, 02:45:26 AM
I just chose new wallet and then chose watch only. I'm not sure how I was able to create it without having any private or public keys. All I have is a Coinbase account and this, and I sent the money from the Coinbase account to Electrum without realizing I wouldn't be able to change it from watch only to a normal wallet. Because it's a watch only wallet, it does not generate a Seed when creating, so I was never given a 12-word phrase.

Electrum will not allow you to create a watch-only wallet without a key or an address.  "Watch Only" isn't an option that's given when creating a new wallet.  It does provide options to enter previously generated keys or addresses, and then Electrum determines whether to create a live wallet or a watch-only depending on the nature of the key.  At the very least you would have needed a bitcoin address to create a watch only wallet.  Where did you obtain that address?  From your coinbase account?

If you are sure you've downloaded the authentic Electrum software and not a malicious clone (see here), you might want to re-trace your steps by creating another wallet, and try to remember what you did the first time.
3006  Bitcoin / Electrum / Re: So I'm assuming I'm fucked on this one right? on: April 16, 2020, 02:04:03 AM
Quote from: dewey246 on April 16, 2020, 01:57:45 AM
First time using bitcoin, was getting the hang of it pretty easily but then accidentally fell victim to Electrum's infamous watch-only wallet. So have no idea how the tf to get my money out of there.....Luckily there's only about $70 worth of bitcoin stuck in it but I'm still pissed. Since it's watch only, there's no seed or private master key, so no way to restore it to a new wallet. Any idea if there's any way to fix this? Feels sorta hopeless based on what I've read. I know if you have cold storage it can be used with a watch only wallet but...I don't have that....and I'm pretty sure that part has to come first, not second even if I were to retroactively. Feeling pretty defeated to say the least!

How did you create this watch only wallet, or how is it you have one without having access to the private keys in another wallet?  Did you import a master public key from somewhere?

Did you write down a 12-word phrase when creating a wallet?
3007  Economy / Gambling / Re: Help launch decentralized betting: create your own betting hedge fund on: April 16, 2020, 01:28:07 AM
Can you please elaborate more on this:

Quote from: joey.rich on April 11, 2020, 10:47:50 PM
When you bet you don’t send money to a trusted intermediary.  Instead, bets are placed by sending coins to your own addresses so that you maintain control of the private keys for your bets.

How can you ensure the clients will pay-up on their losses?


And then later I read this:

Quote from: joey.rich on April 11, 2020, 10:47:50 PM
PolyCash is a platform for stablecoins and eSports betting will operate with coins pegged to the dollar.  You can buy in and sell out at any time using bitcoin, but the bitcoins will be converted to dollars based on the exchange rate at the time of each transaction.

So, are the private keys mentioned previously for your own stable coin?
3008  Economy / Gambling / Re: 🚀 Sportsbet.io - Main Club Partner of Watford FC ⚽ Fun. 🏀 Fast. 🎾 Fair. 🏆 on: April 16, 2020, 01:13:39 AM
All these poker tournaments around the board look like a lot of fun.  I don't like throwing money away, but a good poker game is more entertainment than anything, and worth what I'm willing to spend on "entertainment."  Unfortunately I haven't found a tournament that works with my schedule, which is currently far busier than normal.
3009  Economy / Lending / Re: DireWolfM14's Crypto Lending Service - BTC & ETH Loans on: April 15, 2020, 08:22:18 PM
Quote from: Trigety on April 15, 2020, 07:56:14 PM
Username: Trigety
Loan Amount: 0.01
Purpose: Have to use some bitcoin for a trade
Collateral: 32.000 MNE - Minereum Coins
Repayment date: 30 - 04 - 2020
Repayment Amount: 0.012
Funding Address: 3FNha2RuuLt9bbcgYnEHX8gmWZsX3yNQS3

Hi Trigety,
Sorry, but I won't accept that coin as collateral, the only exchange it's listed on is one I have no intention of doing business with, and I cannot qualify you for a no-collateral loan.  Thanks anyway.
3010  Bitcoin / Hardware wallets / Re: Trezor Passphrase Security - What If My 24 Words Got Out? on: April 15, 2020, 06:15:20 PM
Quote from: Csmiami on April 15, 2020, 06:03:37 PM
Quote from: OmegaStarScream on April 15, 2020, 04:24:34 PM
--

Isn't the whole article based on the assumption of the user getting the Hardware wallet robbed, but with the seed not leaked? The attacker tries to bruteforce the password in order to access the device and steal the funds, that we all get.

But in the event of the seed being leaked, that's what I understood from OP, wouldn't the attacker be able of importing it without the need of the passphrase? I imagine how the scenario would be with say, electrum wallet, and if I have a seed, the it doesn't matter that I loose the password.

Adding a passphrase to a 12-word seed phrase essentially turns the seed into a 13-word seed phrase, except that 13th word isn't limited to the Bip39 word list.  The passphrase can by any word or set of ASCII characters.

By adding a passphrase you are hashing a completely new HD wallet, with a new set of addresses.  Without having access to both, the seed phrase and the passphrase, the your wallet is protected.  One or other is essentially useless.

If your Trezor is stolen, and the thief is able to hack your PIN, and extract your seed phrase, he wouldn't be able to steel your bitcoin unless he also has your passphrase.
3011  Bitcoin / Hardware wallets / Re: Trezor Passphrase Security - What If My 24 Words Got Out? on: April 15, 2020, 05:33:10 PM
The only thing I'll add to what OmegaStarScream said is that it could take billions of eons to crack a really complex passphrase.  A passphrase can be any ASCII character, lower-case, upper-case, numbers, and special characters.  A highly complicated passphrase would be nearly impossible to crack.

Having said that, if you think your seed phrase has been compromised, set up a new one as quickly as possible.  If you misplaced or lost your Trezor, assume your seed phrase has been compromised. 
3012  Economy / Lending / Re: DireWolfM14's Crypto Lending Service - BTC & ETH Loans on: April 15, 2020, 05:12:37 PM
Quote from: Railai on April 15, 2020, 05:08:30 PM
Username: railai
Loan Amount: 0.008
Purpose: fast payment to someone (i'm not home)
Collateral: none
Repayment date: 16th, latest 17th of april
Repayment Amount: 0.009 (hope its enough)
Funding Address: 36FfpACUMMGkne8cyX1VCSRhvjnymfxPF5
I can't sign a message from my stacked address, not at home.

Sorry railai, but I have to decline your request.
3013  Economy / Reputation / Re: WHERE IS TMAN? for 1 month of inactivity 🤔🤔 on: April 15, 2020, 03:50:54 PM
Quote from: TheNewAnon135246 on April 12, 2020, 06:54:35 PM
I spoke to Tman today, he's fine. He'll be calling every one of you 'cunts' before you know it.

That's a huge relief.  I have not yet had the pleasure of being the subject of his poetry, and I am looking forward to the day.

All kidding aside, I'm glad to hear he's fine.  Best wishes to him and his loved ones. 
3014  Alternate cryptocurrencies / Announcements (Altcoins) / Re: [ANN][ICO]HoweyCoins: the only BitcoinTalk-endorsed ICO - GUARANTEED PROFIT on: April 15, 2020, 03:28:02 PM
Quote from: maxtron on April 15, 2020, 02:32:41 PM
Quote from: suchmoon on April 15, 2020, 02:07:23 PM
Quote from: maxtron on April 15, 2020, 01:37:02 PM
can you prove if the ICO is profitable? do you have any evidence please argue if I misunderstood the ICO.

Yes, I can prove it, and yes, you misunderstood it. Try reading the whole thing again, better yet - buy a few million howeycoins and see for yourself.

noob

Lol, this has been a lovely exchange of intellect and wit, lopsided as it may be. 

"The proof is in the pudding," as they say.  "Knowledge is power," is another thing that's often said.  HoweyCoin is nothing but profit, because there's no way to lose.  The more you learn the more you gain. 
3015  Bitcoin / Electrum / Re: [GUIDE] How to Safely Download and Verify Electrum [Guide] on: April 15, 2020, 02:53:51 PM
Quote from: pooya87 on April 15, 2020, 03:39:28 AM
excellent post. just two additions.
first is that usually people don't add the key to their list of trusted keys so the verification result always has a warning that confuses most people. it is along the line of saying something like this:
Code:
gpg: WARNING: This key is not certified with a trusted signature! 
gpg: There is no indication that the signature belongs to the owner.
sometimes people confuse this with the signature not being valid whereas all it says is that they key is not saved in their local database as a trusted key.

I considered adding an example of such results.  Technically the signature file can be verified without any keys in the keyring, but I don't know how deep the rabbit hole I should go with all that.


Quote from: pooya87 on April 15, 2020, 03:39:28 AM
second is that it may be a good idea to show what the message is going to look like when wrong signature or wrong key is used. although it is obvious.

That's a very practical suggestion, and I do want to include "negative" results so people are familiar with what to look out for.  I will be making some example screenshots of wrong files/signatures and include those.


Quote from: pooya87 on April 15, 2020, 03:39:28 AM
ps. we can't talk about GPG and not mention Web of Trust.

Definitely worth a read while practicing social distancing and safe computing.  
3016  Bitcoin / Hardware wallets / Re: Ledger Nano X Experience on: April 15, 2020, 02:45:49 PM
Even without any defects or issues the lifespan of the Nano X's battery is probably 5, maybe 7 years tops.  I don't know if Ledger plans on having a service available to replace the battery, or everybody might be better off if they just offer a discount to those who's battery has served it's purpose.  Like Lucius alluded, however, the device can still be used long after the battery dies, just by plugging into a computer or a power source. 
3017  Bitcoin / Electrum / Re: [GUIDE] How to Safely Download and Verify Electrum [Guide] on: April 15, 2020, 02:48:07 AM
Given that the tutorial above contains instructions that require trust to follow I thought it was appropreate that I provide a signature for the tutorial.  To verify click on the "quote" button above the post, copy all the text including the quote header and footer, paste it into your favorite text editor, then save the text file.  Use the code below to create another file in the same directory and with the same name, but with a .asc extension.  Use your preferred method to verify.

Code:
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE5uCk8qpATL256qefg7ozyN3KpUcFAmPURNEACgkQg7ozyN3K
pUfxtg//WiYnADw/JA7jvyeVanOBO/9XMaDcz1iNIEzLnCgIxPkKEcFLSA7484Hc
5EtRU92gzaNLtyyEBnHgigYFLyZ1vl6SZmn9VYhgRgnD6xEA+pudTGE6SkovOheR
8tpx4zCTB9WPYCUOFnwpRHAzBVvh2IiinSvut8DvW3UIVirslfnbk5NDzBlmPR+b
Rc+fCruYf21p+YUFOMmvkdOofRpUSZgMna5DsXCZrSSeRF6apjJpBez5zd0mEad+
9Lxv6DjFLNjG87cF3A2dcNSfuCL2tUD/QTaqbx4a0g+8p0CH9pkfN2k2HH7xbOry
UmdDOG+r8IckUKzK71fEhs0Vpk+EoiPYbtsSMDWx8ssd60qbXRM5XRGi6jdUOH7v
LxM0P6fw/iH3bFDMefMtAlzlGbMirQkbsxOf6AGoa8AoXNeezNjWfoWO8pD71cMS
tKVc6QGrgHH4BCswarGhP/k8ReUYtk6lKhr6qsOVfQqIvvpApzsoDwo3UkAlUG3y
j62EbYfhxCDTT8k7Qz2FjkRHaMus90QJZhuapZZIqCEX+LmMCEADw/vSA5n64qY4
H1KL9oGN8ldU5+So3poKV/fN5TTumVmURq9yjvPJJccSmq+immXFPeaNQZlcsKqR
5Z5pWfLuNlDXoTP5/nrSiUFf5sJXiv+EZrEG/MoNTuny4dy55GU=
=iya1
-----END PGP SIGNATURE-----

My GPG key is available by clicking on the website link in my profile, or here on the forum:

https://bitcointalk.org/index.php?topic=1159946.msg56665744#msg56665744

Update 15 JAN 2023
 - Fixed some typos
 - Clarified Linux installation information
 - Added list of HockeyPuck Keyservers

Update 27 JAN 2023
 - Fixed some typos
 - Added link to KDE Kleopatra
3018  Bitcoin / Electrum / [GUIDE] How to Safely Download and Verify Electrum [Guide] on: April 15, 2020, 02:47:17 AM
.
Table of Contents
Introduction
Resources
Getting Started
Instructions for Windows and Linux Desktop distros
Instructions for Mac
Instructions for Command Line Interface
.
Introduction
Electrum is one of the most popular lightweight bitcoin clients around.  The software is incredibly useful and includes several options and tools that allow ultimate control of your bitcoin.  Electrum can be used to access any type of bitcoin wallet, including legacy, p2sh, or bech32 (exception: as of the most recent edit of this post, Electrum is not capable of importing Taproot addresses.)  Existing wallets can be imported into Electrum by using a private key, an extended private key, or a Bip39 seed phrase.  It can create new wallets of any type as well, including multi-signature wallets.  Electrum can be used to access the popular brands of hardware wallets, too.  It's also handy for creating watch-only versions of your cold or hardware wallets.  On top of all that, it’s open source, which allows anyone to audit the software, removing the need to solely trust the developers.

The unfortunate thing about open source software; it can easily be copied by nefarious individuals, and made to look like the real thing.  Electrum's popularity and widespread use make it a prime target for these hackers and scammers.  So how does one ensure that he has downloaded the official, authentic version, and not a malicious fake?  First and foremost, make sure you download it only from the official Electrum website, but don't stop there.  The only way you can be certain you have downloaded an official release to check if the file was digitally signed by the developer.  Electrum has many active developers and the releases are often signed by multiple individuals for security purposes.  The Instructions below focus on checking the signature for one specific developer, Thomas Voegtlin but can be used to verify the signature of any of the developers listed on Electrum's downloads page.
.
Resources
Links to key resources

ThomasV's PGP fingerprint:
  • 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Source: https://electrum.readthedocs.io/en/latest/gpg-check.html

Redundant links to ThomasV's public key:

List of known, reliable PGP HockeyPuck Keyservers:
  • hkps://keys.openpgp.org
  • hkps://keyserver.ubuntu.com
  • hkps://pgp.mit.edu

Third-party binary installations that include GnuPG and a Graphical User Interface (GUI):
.
Getting Started With GPG
First you'll need to download and install Gnu Privacy Guard (GPG,) the successive implementation of the OpenPGP standard.  The link in the resources section above provides download links for the source code, a binary compilation to install the command-line-only GnuPG service on MacOS and Windows, and links to third-party binary releases which include a graphical user interface.  GPG4Win provides the option to install Kleopatra, a GUI application which is very user friendly.  Kleopatra is also available on Linux.  Mac GPG is also a user friendly application with a GUI Frontend.  I won't go into too much detail on installing GnuPG on your system, there are plenty of resources on the internet that can guide you through that, but the following paragraphs will help you get started.

Navigate to The GnuPG Project's download page, chose the appropriate command-line tool or third-party binary for your operating system, and install GnuPG according to instructions provided with the distribution.  

Note that some Linux distributions include GPG command-line services preinstalled, however few distributions include a graphical user interface for the GPG client.  Most Ubuntu Linux distributions, including those running on Windows Subsystem for Linux will have GPG preinstalled.  Refer to the CLI instructions for more information.

Once you've installed GPG you may be prompted to create or import a keypair.  If you already have a private key you can import it.  If you do not have a private key I recommend that you create a new keypair.  Again, there are plenty of instructional sites on the internet that you can reference to guide you through the process.  Having a your own keypair is not mandatory to verify signed messages, but verifications will appear with errors that may be confusing.  To get the full experience, and the safety and security offered by GnuPG a keypair will be needed to certify the public keys of others.  Details on how this affects verification will be discussed further during the tutorial.

Once you've created or imported your own private key you can now import ThomasV's public key.  On the download's page of the official Electrum website, you'll find a link to ThomasV's public PGP key.  For redundancy I've posted that link in the references section above.  Clicking on the link will take you to a page that displays the public key.

Windows users take note; When downloading signatures and keys Windows likes to save .asc files with the .txt file extension.  To avoid this pitfall open an explorer window, click on the View tab, Folder Options, and under the view menu disable hidden extensions of known file types.


.
Windows and Linux Instructions
.
Install on Windows
For Windows systems I recommend Gpg4win.  Browse to their downloads page, and install the latest version.  Once the installation directory is chosen, the installer will allow you to choose components:




Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it.  If you don't, you'll have to use command line tools to manage the GnuPG app.  Another optional feature is a shell extension which I find handy, and an Outlook email extension.  If you use Outlook the integration is pretty seamless, and actually quite useful.

Kleopatra is also availabe for Linux.  Look for it in the application store, or run the following command:

Code:
sudo apt install kleopatra



Once installation is complete, and Kleopatra launches you can create a keypair.  If you already have a private key that can be used to certify other people's keys, you can import it at this time.




To Create a keypair enter the ID details you choose, and follow the prompts.  A password is optional.


.
Import ThomasV's PGP Key on Windows and Ubuntu
Import ThomasV's PGP Key using Kleopatra:
Download ThomasV's PGP Key from a trusted source.  Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.




Alternatively, you may choose to use the built-in search feature that will download the private key from the keyserver.




To use the Search feature, copy ThomasV's fingerprint from a trusted source and enter it into the provided search field.




Once ThomasV's key has been imported it can be certified.  Depending on your version of Kleopatra and the default settings, a pop-up may ask you to certify the public key during the importation process, select Yes.  If not, on the Certificates tab select ThomasV's key and click the Certify button.




Chose the identity you want to certify, there's no reason not to select them all.  Click Certify.


.
Verify Electrum on Windows and Ubuntu
Download the Electrum package you prefer, and the associated signature file.  Save both in the same directory.  In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved.  Select the .asc file, and click "Open."




The software will check the integrity of the .exe file and compare it to the signature file.  If ThomasV's signature matches the .exe file you'll see a window like this pop up with text indicating that the signature is valid, and the key is fully trusted:




Note that the .asc file contains signatures from multiple developers.  There are three valid signatures in the example above.  Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file.  The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted.  If your result match the example above, you now know that it's safe to run the .exe file on your system.

Pro Tip: use the convenient Search key on the right to download and certify the keys of the remaining developers.  In the example below I show what a fully trusted verification looks like:




In the example above the .exe file matches all the signatures in the .asc, and those signatures were made by available and certified keys.  The result has a bright green tinted background which makes fully trusted and valid signatures unmistakable.

If your results do not match my examples above, or you just want to learn more, keep reading.

In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.




In the example above you'll note there are three signatures in the .asc file that could not be verified.  That's because none of the keys used to sign the .exe file are trusted by the system in my example.  The example shows that ThomasV's key is available, but it has not been certified.  The results also show that the .exe file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures.  So, we have valid signatures by unknown or untrusted signers.  The keys must now be manually compared to the keys you are expecting to sign the .exe file.  The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system.  To certify keys you need to have your own keypair.

Next, I will demonstrate a failed signature.  If the .exe does not match the signatures in the .asc file, the window will have a red tint and the text will also be red:




The example above shows what an invalid signature would look like.  To get the results above I created a text file full of gibberish and changed the name to match the .exe file.  The test stops when it encounters one invalid signature.  The results would look similar if at least one of the signing keys has been imported, even if it has not been certified.  This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
.
Mac Instructions
.
Install on Mac
For Mac users I recommend using the Mac GPG Suite from GPGtools.org.  It includes a GPG Keychain app that's very user friendly and walks you through creating a private key pair.
Browse to gpgtools.org site, download the .dmg file for your version of MacOS, and unpack it to start installation.






Once installation has reached the "Installation Type" page, click "Customize."




Mac GPG is free to use, except for the mail clients.  They come with a 30-day free trial if you care to try them, or you may choose to deselect them.




Enter your password if prompted:




Once installation is complete, the system will launch the GPG Keychain app, and prompt you to create a key pair.  Enter the credentials of your preference and click the "Generate Key" button.  If you already have a private key that can be used to certify other people's keys, click cancel and use the "Import" button to import your private key.


.
Import ThomasV's PGP Key on Mac OS
Download ThomasV's PGP Key from a trusted source.  If it's not already running, launch the GPG Keychain app, and click the import button.  Browse to the location where you saved the ThomasV.asc file, and select it.




The Keychain should now list ThomasV's public key.




Select ThomasV's key, right-click on it, and select "Sign..." to certify ThomasV's key:




Sign the identifications ThomasV has included in his key:


.
Verify on Mac OS
Download the Electrum image file and the associated signature file.  Open a Finder window, navigate to the location where you saved the Electrum .dmg file and the .asc signature file, and double click the signature file.




Mac GPG will launch the verification tool and compare the .dmg file to the signature file.  Once the verification tool has completed its diagnostic it'll pop up a window like this:




Note that the .asc file contains signatures from multiple developers.  There are three valid signatures in the example above.  Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file.  The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted.  If your result match the example above, you now know that it's safe to run the .dmg file on your system.

The example below demonstrates a fully verified signature.




In the example above the .dmg file matches all the signatures in the .asc, and those signatures were made by available and certified keys.  To replicate these results you'll have to download and sign the keys of the remaining developers by repeating the steps used to optain ThomasV's key.

If your results do not match my examples above, or you just want to learn more, keep reading.

In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.




In the example above you'll note there are three signatures in the .asc file that could not be verified.  That's because none of the keys used to sign the .dmg file are trusted by the system in my example.  The example shows that ThomasV's key is available, but it has not been certified.  The results also show that the .dmg file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures.  So, we have valid signatures by unknown or untrusted signers.  The keys must now be manually compared to the keys you are expecting to sign the .dmg file.  The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system.  To certify keys you need to have your own keypair.

Next, I will demonstrate a failed signature.  If the .dmg does not match the signatures in the .asc file the result will indicate a bad signature:




The example above shows what an invalid signature would look like.  To get the results above I created a text file full of gibberish and changed the name to match the .dmg file.  The results would look similar if at least one of the signing keys has been imported, even if it has not been certified.  This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
.
Shell Terminal Instructions
.
Install CLI-Only Binary
Terminal commands are a more powerful way to interact with GPG.  They can be used on any of the operating systems mentioned in this post.  

If you've installed one of the third-party binaries with a GUI, the core GnuPG services are already installed.  If you choose not to use a third-party binary with a GUI, the GnuPG site has binary files for Windows that can be used to run the command line tools only.  For more convenient usage, they can also be set to run as a NT-service.  For MacOS use homebrew or your preferred package manager to install the core services.  If you're using Linux, many distros include the core GnuPG services by default, otherwise see institutions below.  Once GPG is installed on your system you can run these commands.  In Windows use PowerShell or the Windows Terminal, in MacOS and Linux use the terminal app.

WARNING!
As a general precaution you should never copy unknown commands from the internet and paste them into your operating system's shell terminal.  Take the time to research these instructions before following them.  Your safety is why you're here in the first place.

If your version of Linux doesn't have GnuPG installed run the following command (Note; apt is the default package manager for Debian based Linux distros, change accordingly for your version of Linux.)

Code:
sudo apt update && sudo apt install -y gnupg

To show a list of common commands use:
Code:
gpg --help


To create a new keypair use:
Code:
gpg --generate-key


To import an existing private key use:
Code:
gpg --import /path/to/private-key.gpg


To list all the keys in your keyring use:
Code:
gpg -k


To list only the private keys in your keyring use:
Code:
gpg -K
.
Import ThomasV's PGP Key using terminal commands
Download ThomasV's PGP key from a trusted source and import ThomasV's public key:
Code:
gpg --import /<path>/<to>/<file>/<location>/ThomasV.asc


Example:
Code:
gpg --import ~/Downloads/ThomasV.asc


Alternatively, you can use GnuPG's built-in function to download ThomasV's key from one of the GnuPG key servers.  For example, here's a command using the OpenPGP key server:
Code:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6


Indicate your acceptance at the prompts.  The response should look like this:
Quote
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1


Refresh your keyring:
Code:
gpg -k


You should now see ThomasV's key in your keyring, the entry should look like this:
Quote

pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [ unknown] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid           [ unknown] ThomasV <thomasv1@gmx.de>
uid           [ unknown] Thomas Voegtlin <thomasv1@gmx.de>
sub   rsa4096 2011-06-15 [E]


ThomasV's key can now be certified.
Code:
gpg --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6


This command may be needed for some configurations:
Code:
gpg -u <yourfingerprint> --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6


Select y and press enter at the two following prompts.  You'll be prompted for the GPG password that you set when creating your key pair.  ThomasV's key trust level will be set to "full."

Check the trust level of the public key by refreshing the keyring:
Code:
gpg -k


The results for ThomasVs key should look like this:
Quote

pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [  full  ] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid           [  full  ] ThomasV <thomasv1@gmx.de>
uid           [  full  ] Thomas Voegtlin <thomasv1@gmx.de>
sub   rsa4096 2011-06-15 [E]
.
Verify using Terminal Commands
Download the Electrum app image file and the associated signature file.  To verify the downloaded AppImage, open a terminal and enter the following command:
Code:
gpg --verify /<path>/<to>/<file>/<location>/<filename>.AppImage.asc


Example:
Code:
gpg --verify ~/Downloads/electrum-4.2.0-x86_64.AppImage.asc


The result should look like this:
Quote

gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [full]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]


Note that the .asc file contains signatures from multiple developers.  There are three valid signatures in the example above.  Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file.  The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted.  If your result match the example above, you now know that it's safe to run the .AppImage file on your system.

The example below demonstrates a fully verified signature.

Quote

gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) <it@oeste.de>" [full]
gpg:                 aka "Emzy E. (emzy) <emzy@emzy.de>" [full]
gpg:                 aka "Stephan Oeste (Master-key) <stephan@oeste.de>" [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [full]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]


In the example above the .AppImage file matches all the signatures in the .asc, and those signatures were made by available and certified keys.  The results indicate good signatures from all three keys.

If your results do not match my examples above, or you just want to learn more, keep reading.

In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.

Quote

gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

In the example above you'll note there are three signatures in the .asc file that could not be verified.  That's because none of the keys used to sign the .AppImage file are trusted by the system in my example.  The example shows that ThomasV's key is available, but it has not been certified.  The results also show that the .AppImage file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures.  So, we have valid signatures by unknown or untrusted signers.  The keys must now be manually compared to the keys you are expecting to sign the .AppImage file.  The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system.  To certify keys you need to have your own keypair.

Next, I will demonstrate a failed signature.  If the .AppImage does not match the signatures in the .asc file the result will indicate a bad signature:

Quote

gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: BAD signature from "Stephan Oeste (it) <it@oeste.de>" [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: BAD signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]

The example above shows what an invalid signature would look like.  To get the results above I created a text file full of gibberish and changed the name to match the .AppImage file.  The results would look similar if at least one of the signing keys has been imported, even if it has not been certified.  This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
The contents of this article may be shared, in part or in whole.  The images within are posted and shared in the public domain.  If you share this article please give credit to the author and provide a link to the original.
3019  Economy / Collectibles / Re: [Raffle] 2015 Bitcoin Penny Raffle 1 Spot Left ALL Prepaid by geophphreigh :-) on: April 15, 2020, 01:00:56 AM
Quote from: DaveF on April 15, 2020, 12:44:50 AM
1 Spot left......

If this is still accurate, I'll take it.  Please let me know where to send payment, and thank you.

ETA:
I see what I missed, if I had only read a little more than the first and last posts.  Undecided

Quote from: geophphreigh on April 14, 2020, 09:05:02 PM
I'll buy all the spots and take one random.  Smiley

The other 15 spots can go the the next 15 people to request a spot or a random!

txID incoming via PM.

Thanks to both, DaveF and geophphreigh!
3020  Other / Archival / Re: . on: April 14, 2020, 10:09:02 PM
.007
Pages: « 1 ... 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 [151] 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 ... 284 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!