Verify paperwallet GPG

[landuvour]

Hi  , I want to verify this paperwallet creator
https://github.com/cantonbecker/bitcoinpaperwallet

Canton Becker says that I can verify authenticity through GPG, so I've installed GPGforWin with all features: GnuPg, Kleopatra, GPA, GpgOL, GpgEX. I run Windows 10 64 bit.

In the README Canton says: 'go to appropriate directory and type in these two commands':
  gpg --recv-key 36E1D9B6
  gpg --verify --with-fingerprint generate-wallet.html.sig generate-wallet.html

So, I open as an admin 'command prompt' and I type:        gpg --recv-key 36E1D9B6

I get:

gpg: requesting key 36E1D9B6 from hkp server keys.gnupg.net
gpg: no valid OpenPGP data found
gpg: total number processes: 0
gpg: keyserver communications error: keyserver helper internal error
gpg: keyserver communications error: General error
gpg: keyserver receive failed: General error

when I try to type this line:         gpg --verify --with-fingerprint generate-wallet.html.sig generate-wallet.html

I get:

gpg: impossible open 'generate-wallet.html.sig': No such file or directory
gpg: verify signatures failed: No such file or directory

Can anyone help me?  

[HI-TEC99]

Read the whole of this thread and you might find the answers you are looking for. It has detailed instructions for using gpg to verify electrum

https://bitcointalk.org/index.php?topic=1836004.0

36E1D9B6 appears on this page as a subkey

http://keys.gnupg.net/pks/lookup?op=vindex&search=0xC525F0650B16DF4B

Often the primary key is used for signing, and the subkey used for encryption.

There's more information about subkeys here.

https://superuser.com/questions/632375/why-does-gpg-pgp-by-default-use-different-keys-for-signing-encryption

[landuvour]

Thanks HI-TEC99

I have followed religiously your guide posted in the link, through cleopatra I get:

generate-wallet.html.sig: Signature is valid
Signed on 2016-02-23 15:53 with unknown certificate 0x761F7D53D11591274A170B839277AD7136E1D9B6.

but, I don't have certificate of Canton Becker (the maker of bitcoin paperwallet) I only have trough his website these:
PGP Public Key ... (very long as you know  )
RSA Key ID: 36E1D9B6
Fingerprint: AB12 6777 451C 7A18 C172 3297 C525 F065 0B16 DF4B

How can I connect this certificate to him?

[cr1776]

Thanks HI-TEC99

I have followed religiously your guide posted in the link, through cleopatra I get:

generate-wallet.html.sig: Signature is valid
Signed on 2016-02-23 15:53 with unknown certificate 0x761F7D53D11591274A170B839277AD7136E1D9B6.

but, I don't have certificate of Canton Becker (the maker of bitcoin paperwallet) I only have trough his website these:
PGP Public Key ... (very long as you know  )
RSA Key ID: 36E1D9B6
Fingerprint: AB12 6777 451C 7A18 C172 3297 C525 F065 0B16 DF4B

How can I connect this certificate to him?

I believe that is what he is talking about on the github page you linked to above when he says:

'If you get warnings like "This key is not certified, there is no indication that the key belongs to the owner" do not worry, this is normal.

As long as the signature is valid, that is enough.

[HI-TEC99]

Thanks HI-TEC99

I have followed religiously your guide posted in the link, through cleopatra I get:

generate-wallet.html.sig: Signature is valid
Signed on 2016-02-23 15:53 with unknown certificate 0x761F7D53D11591274A170B839277AD7136E1D9B6.

but, I don't have certificate of Canton Becker (the maker of bitcoin paperwallet) I only have trough his website these:
PGP Public Key ... (very long as you know  )
RSA Key ID: 36E1D9B6
Fingerprint: AB12 6777 451C 7A18 C172 3297 C525 F065 0B16 DF4B

How can I connect this certificate to him?

Ideally you should personally check in multiple places you trust that a signature really does belong to someone you trust. Often even experienced professionals skip that step and just use whatever is on a key server, but that's very risky. This quote sums up what you should do.

https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key

A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys.

I found a reddit post containing that fingerprint by someone with the username cantonbecker. However, I don't know Canton Becker well enough to confirm if that really is his reddit account. You will have to google some more to find something you can double check with.

https://www.reddit.com/r/GnuPG/comments/1lsuih/am_i_pgpsigning_my_bitcoin_wallet_generator/ccfzj6e/

However I don't want to put my key fingerprint in the README file itself because the whole point of signing the document is discouraging people from trusting the download itself without double-checking...

As a start, I'll take your advice and post my fingerprint info here

AB12 6777 451C 7A18 C172 3297 C525 F065 0B16 DF4B http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC525F0650B16DF4B

[landuvour]

Perfect, I will follow your indications for best verifying signature.

This topic brings me spontaneously to ask you another question.

Can you advise me a good bitcoin (and maybe eth ) paper wallet generator?  So good I can verify who is the owner and his signature, in other words a generator made up by a reliable developer.

Thanks a lot again!

[HI-TEC99]

Perfect, I will follow your indications for best verifying signature.

This topic brings me spontaneously to ask you another question.

Can you advise me a good bitcoin (and maybe eth ) paper wallet generator?  So good I can verify who is the owner and his signature, in other words a generator made up by a reliable developer.

Thanks a lot again!

Sorry, I can't advise about paper wallets. I have never used them to store coins, so I don't have enough experience of them to give good advice. I'm sure other users here will help.