|
guitarplinker
Legendary
Offline
Activity: 1694
Merit: 1024
|
|
May 03, 2015, 04:23:00 PM |
|
On the Electrum download page, there's a note saying that "Sources are signed by ThomasV. Executables are signed by Animazing". Since you downloaded the executable version of Electrum rather than just the source files, it was signed by Animazing. Here's a link to his PGP key: http://bitcoin-otc.com/viewgpg.php?nick=AnimazingIf you import Animazing's key, and then try to verify the signature of the executable, it should check out fine. I just tried it myself, and it verified as it should.
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3682
Merit: 1580
|
|
May 04, 2015, 12:31:16 AM |
|
I'm using Ubuntu, here what I have done:
The .exe file is for windows users. You should follow the instructions for linux and download the source tarball. That is signed by ThomasV.
|
|
|
|
xdigital (OP)
Newbie
Offline
Activity: 41
Merit: 0
|
|
May 04, 2015, 12:46:13 AM |
|
Thank guitarplinker for pointing it out. Got it verified now. To Abdussamad: I'm have 2 machines, 1 is my main PC running Windows, 1 is Ubuntu server (which is also running a full bitcoin node). I don't want to install gpg on the Windows machine, So I use Ubuntu. Here is what I did. Using the RSA key ID 695506FDfound from the last error, I get Amazing's key by changing the key of the first command. gpg --keyserver pool.sks-keyservers.net --recv-keys 695506FDgpg: requesting key 695506FD from hkp server pool.sks-keyservers.net gpg: key 695506FD: public key "Animazing < animazing@gmail.com>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exegpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD gpg: Good signature from "Animazing < animazing@gmail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9914 864D FC33 499C 6CA2 BEEA 2245 3004 6955 06FD
|
|
|
|
jlp
|
|
May 20, 2017, 01:54:50 PM |
|
How do I verify the Electrum download and signatures on a Mac?
|
|
|
|
jlp
|
|
May 20, 2017, 07:00:20 PM |
|
nerioseole: Thanks for your help and suggestions. I downloaded http://download.electrum.org/2.8.2/electrum-2.8.2.dmg.asc and renamed the file to electrum-2.8.2.dmg.asc.txt. I installed GPG from gpgtools.org. I de-selected GPGMail because I don't use Apple's Mail. I ran GPG and got the following, which is different than what you got. $ gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg gpg: Signature made Tue 21 Mar 13:42:38 2017 EDT using RSA key ID 7F9470E6 gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 $
It seems that the verification failed. What did I do wrong?
|
|
|
|
jlp
|
|
May 20, 2017, 08:05:35 PM |
|
nerioseole: Okay. Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly? What about all of the other steps mentioned by users xdigital and guitarplinker, such as: gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 Can I ignore them?
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3682
Merit: 1580
|
|
May 20, 2017, 09:12:50 PM |
|
nerioseole: Okay. Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly? What about all of the other steps mentioned by users xdigital and guitarplinker, such as: gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 Can I ignore them? those steps are for fetching the gpg key but the software you used already did that for you:
|
|
|
|
jlp
|
|
May 22, 2017, 10:18:34 PM |
|
I didn't see any indication from GPG that it verified that the downloaded image was unchanged, in addition to being signed properly? Did it verify that the downloaded image was unchanged? I disconnected my Mac from the internet, booted up Mac OS from a bootable USB. I tried to install electrum-2.8.2.dmg, but my Mac gave me the following message: “Electrum” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.
“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017. Am I correct to assume that I can ignore this and go to Preferences > Security & Privacy > Allow apps downloaded from: Anywhere (or open anyway) ?
|
|
|
|
pooya87
Legendary
Offline
Activity: 3626
Merit: 10997
Crypto Swap Exchange
|
|
May 23, 2017, 08:11:52 AM Last edit: May 23, 2017, 08:21:53 AM by pooya87 |
|
- to check the signature of a file you need 3 things: * the file (.dmg file) * the signature file (.asc file) * and the public key (7F9470E6) here are a couple of things that are confusing about GPG and needs translation: gpg: Good signature from "Thomas Voegtlin ... means the signature was correct, aka you have downloaded the right file. gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. means you have not added the public key (7F9470E6) to your list of trusted keys. you don't have to do this. if you want the warning to go away basically you have to add the key to your list and sign it with your own key. read this: https://security.stackexchange.com/questions/108471/verifying-a-downloaded-file-with-gpgthe same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.
|
|
|
|
jlp
|
|
May 23, 2017, 12:34:20 PM |
|
the same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.
Yes, the following message from my Mac is from GateKeeper: “Electrum” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.
“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017. From Apple https://support.apple.com/en-ca/HT202491: For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven't been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed. I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app. Should I ignore the GateKeeper message and install anyways ?
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
May 23, 2017, 12:48:15 PM |
|
I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app.
Should I ignore the GateKeeper message and install anyways ?
"The cost is 99 USD per membership year." I'm not surprised at all... Yes, if you downloaded from the Electrum website and have confirmed that the package is signed with Thomas' key, then the package is unmodified. Go ahead and install it.
|
|
|
|
adaseb
Legendary
Offline
Activity: 3878
Merit: 1733
|
|
May 23, 2017, 09:11:15 PM |
|
Is there anyway to verify the download offline in Ubuntu ?
|
|
|
|
pooya87
Legendary
Offline
Activity: 3626
Merit: 10997
Crypto Swap Exchange
|
|
May 24, 2017, 04:03:10 AM |
|
Is there anyway to verify the download offline in Ubuntu ?
i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work. you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file. and you would need to change the gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 line to something else so that gpg takes the key from your file instead of the server. i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there.
|
|
|
|
adaseb
Legendary
Offline
Activity: 3878
Merit: 1733
|
|
May 24, 2017, 04:28:38 PM |
|
Is there anyway to verify the download offline in Ubuntu ?
i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work. you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file. and you would need to change the gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 line to something else so that gpg takes the key from your file instead of the server. i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there. I did more reading and this should of worked: gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 echo "6694D8DE7BE8EE5631BED9502BD5824B7F9470E6:6" | gpg --import-ownertrust - However you need internet access for that or it gives an error.
|
|
|
|
Itty Bitty
Member
Offline
Activity: 138
Merit: 14
|
|
August 25, 2017, 10:21:57 AM |
|
This is what I get when hitting the version 2.9.3 Windows Standalone Executable file signature.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx 1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk 7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4 zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/ Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD 577hMthTTwWAlU9B0nke =YtfS -----END PGP SIGNATURE-----
I don't know the first f**king thing about what to do to verify whether this is a legit signature.
Why you gotta leave computer illiterates so in the dark is f**king nasty when $$$ are at stake.
Speaking for computer software illiterates everywhere that want to take precautions to safely store their bitcoins, I say - F**k the f**king computer world.
|
|
|
|
Itty Bitty
Member
Offline
Activity: 138
Merit: 14
|
|
August 26, 2017, 07:21:46 AM |
|
BUMP
If you're going to tell people over and over and over, that you don't own your bitcoins unless you are in control of your private keys, get them off exchanges, get them off custodial services, and then when they come to Electrum to try and do what they're told, you throw these people a curve ball and show these signatures out of the blue, which is a pretty complicated business for a newbie, and then just leave them hanging - you are being jerks.
Either take signatures off the website, or explain to newbies what they are for and how to use them!
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
August 26, 2017, 11:33:44 PM |
|
Or people could stop being lazy and expect everything to be spoon-fed to them... Google exists for a reason... there are literally dozens of webpages and the odd video ( https://www.youtube.com/watch?v=Go7CBYWosLc windows, https://www.youtube.com/watch?v=h7vboUn3ahI Mac) that explain what the signatures are for and/or how to go about using them to verify that a file is legit... If people are so concerned about their "$$$", then maybe they should educate themselves and stop being "computer software illiterates". If you have enough time to log onto btctalk and moan about not knowing how to do something and insult people for not dropping everything they're doing to help you, you have enough time to use Google and your brain and go and learn something. Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files? "Be your own bank" also implies "Be your own security team" Besides, checking the signatures is not even mandatory... it is recommended, but isn't required to be able to use Electrum. Also, as a side note... - you are being jerks.
I say - F**k the f**king computer world.
Insulting the people you are asking for assistance, probably isn't the best way to get the assistance you desire... #justSaying
|
|
|
|
Itty Bitty
Member
Offline
Activity: 138
Merit: 14
|
|
August 27, 2017, 08:23:34 AM |
|
"Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files?"
Actually, after some research, I went to gpgtools.org and downloaded some .dmg file (GPG_suite-2016.10v2.dmg)
But my computer didn't open it.
More research led to a "howtogeek" webpage which suggested I download either 7-Zip or DMG extractor to open my files.
So up to now, I need to download 2 files (hoping my antivirus stops any malware with these files) in order to begin the process of signature verification, which I guess will help validate that the Electrum files are genuine (?).
Good grief, I am lost.
(BTW, I know you are a conscientious helpful person HCP, just venting at how frustrating this is for a computer illiterate, nothing meant against you specifically)
|
|
|
|
Itty Bitty
Member
Offline
Activity: 138
Merit: 14
|
|
August 27, 2017, 08:56:51 AM |
|
So I watched the Kleopatra video you linked, and seriously, to me it was the equivalent of going to have my car repaired, and the mechanic telling me "do I have to spoon feed you everything? Here is a video on how to change your timing belt, now GTFO and go do it yourself, you lazy loser"
Bottom line - Electrum is an excellent, user friendly wallet.
But if you want to check the integrity of the download files, you need to take a several hour course (maybe tens of hours if you are a true newbie starting from scratch) in digital signatures and how to verify them
Just putting the signatures up on the Electrum site near the files, and leaving them there with no more info, is confusing, to say the least, to many people. Unless you have deep computer/software knowledge, you can't properly verify the integrity of the Electrum files, and you might be better off trusting exchanges or 3rd parties to hold your money, rather than downloading corrupted files and watch your money disappear.
|
|
|
|
|