I downloaded the Electrum Wallet on Linux. First, I verified successfully the main key:
gpg --verify Electrum-4.1.5.tar.gz.ThomasV.asc Electrum-4.1.5.tar.gz
When I tried to verify the release key, though:
gpg --verify Electrum-4.1.5.tar.gz.sombernight_releasekey.asc Electrum-4.1.5.tar.gz
I got an error:
gpg: Signature made Mon 19 Jul 2021 10:19:51 PM EEST
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
So I downloaded the key from the Ubuntu Server (although I am using MX Linux, but I am not sure which other server to use and Ubuntu sounded trusted to me):
gpg --keyserver keyserver.ubuntu.com --receive-keys 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
After this, when I tried again to verify the signature, I got:
gpg: Signature made Mon 19 Jul 2021 10:19:51 PM EEST
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0EED CFD5 CAFB 4590 6734 9B23 CA9E EEC4 3DF9 11DC
Is this signature recognized as safe?
I can see that SomberNight is indeed one of the Electrum dev's.
But I am concerned as I can not find anywhere on trusted websited the Sombersnight fingerprint:
0EED CFD5 CAFB 4590 6734 9B23 CA9E EEC4 3DF9 11DCIt is not pointed out in the documentation as the ThomasV's signature is. I can see it being present on old pages in electrum.org, but when I try to access them, even using the Google Cached option, it is gone.
And the other sites I found it cited are hacking sites (like winning from the lottery), a site trying to redirect me to a porn site, etc.. and this makes me very suspicious.
