Verify downloaded Electrum executable

[gerdliebert]

Hi everybody,

I checked some of the posts on verifying the a downloaded Electrum executable but none of them was applicable to my problem.

I have: Windows 7 SP1, downloaded the Windows standalone executable from https://electrum.org/#download

Using GPG4WIN I imported ThomasV's PGP Public Key (ThomasV is listed as the person who signed all files). The result of this import was

Code:

gpg: key 2BD5824B7F9470E6: 74 trusts not checked due to missing keys (in German: 74 Beglaubigungen wegen fehlender Schlüssel nicht geprüft)
gpg: key 2BD5824B7F9470E6: "Thomas Voegtlin (https://electrum.org) and so on ..." not changed
gpg: Total number processed: 1
gpg: unchanged: 1 

I continued with checking the Executable's PGP Signature (which was also provided on the above download page). The result was:

Code:

gpg: Signature from .... etc. etc. it all seemed ok. But at the end it was saying:
gpg: WARNING: This key doesn't have a trusted signature!
gpg:          There is no indication that the signature really belongs to the owner given above.
etc. etc.

So what does this all mean?
Is the downloaded executable legit or not?

[xdrpx]

Usually after importing the .gpg and verifying the signatures this would be your output:

Code:

[-pc electrum]$ gpg --verify Electrum-3.0.2.tar.gz.asc Electrum-3.0.2.tar.gz
gpg: Signature made Tuesday 14 November 2017 04:21:16 AM 
gpg:                using RSA key 2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

This sigifies that your signatures are verified and are good when compared. So you don't have to worry about that. There's a good answer here on how the opengpg trust model works: https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust/41209#41209. The warning there means you need to locally trust the keys. You can do that in terminal by doing the following:

Code:

gpg --trusted-key 0x2bd5824b7f9470e6 --list-keys 

or

Code:

gpg --edit-key 0x7F9470E6 trust

This would mark that public key as trusted on your system with the output:

Code:

gpg: key 2BD5824B7F9470E6 marked as ultimately trusted
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [ultimate] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid           [ultimate] ThomasV <thomasv1@gmx.de>
uid           [ultimate] Thomas Voegtlin <thomasv1@gmx.de>
sub   rsa4096 2011-06-15 [E]

After that if you re-verify the files with the signature you'll seee that the warning is now gone:

Code:

gpg: Signature made Tuesday 14 November 2017 04:21:16 AM
gpg:                using RSA key 2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [ultimate]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [ultimate]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [ultimate]

[gerdliebert]

Wow, that was fast. Thank you for your help, xdrpx !