|
|
|
|
|
The Bitcoin network protocol was designed to be extremely flexible. It can be used to create timed transactions, escrow transactions, multi-signature transactions, etc. The current features of the client only hint at what will be possible in the future.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
guitarplinker
Legendary
Offline
Activity: 1694
Merit: 1024
|
|
May 03, 2015, 04:23:00 PM |
|
On the Electrum download page, there's a note saying that "Sources are signed by ThomasV. Executables are signed by Animazing". Since you downloaded the executable version of Electrum rather than just the source files, it was signed by Animazing. Here's a link to his PGP key: http://bitcoin-otc.com/viewgpg.php?nick=AnimazingIf you import Animazing's key, and then try to verify the signature of the executable, it should check out fine. I just tried it myself, and it verified as it should.
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3598
Merit: 1560
|
|
May 04, 2015, 12:31:16 AM |
|
I'm using Ubuntu, here what I have done:
The .exe file is for windows users. You should follow the instructions for linux and download the source tarball. That is signed by ThomasV.
|
|
|
|
xdigital (OP)
Newbie
Offline
Activity: 41
Merit: 0
|
|
May 04, 2015, 12:46:13 AM |
|
Thank guitarplinker for pointing it out. Got it verified now. To Abdussamad: I'm have 2 machines, 1 is my main PC running Windows, 1 is Ubuntu server (which is also running a full bitcoin node). I don't want to install gpg on the Windows machine, So I use Ubuntu. Here is what I did. Using the RSA key ID 695506FDfound from the last error, I get Amazing's key by changing the key of the first command. gpg --keyserver pool.sks-keyservers.net --recv-keys 695506FDgpg: requesting key 695506FD from hkp server pool.sks-keyservers.net gpg: key 695506FD: public key "Animazing < animazing@gmail.com>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exegpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD gpg: Good signature from "Animazing < animazing@gmail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9914 864D FC33 499C 6CA2 BEEA 2245 3004 6955 06FD
|
|
|
|
jlp
|
|
May 20, 2017, 01:54:50 PM |
|
How do I verify the Electrum download and signatures on a Mac?
|
|
|
|
jlp
|
|
May 20, 2017, 07:00:20 PM |
|
nerioseole: Thanks for your help and suggestions. I downloaded http://download.electrum.org/2.8.2/electrum-2.8.2.dmg.asc and renamed the file to electrum-2.8.2.dmg.asc.txt. I installed GPG from gpgtools.org. I de-selected GPGMail because I don't use Apple's Mail. I ran GPG and got the following, which is different than what you got. $ gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg gpg: Signature made Tue 21 Mar 13:42:38 2017 EDT using RSA key ID 7F9470E6 gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 $
It seems that the verification failed. What did I do wrong?
|
|
|
|
jlp
|
|
May 20, 2017, 08:05:35 PM |
|
nerioseole: Okay. Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly? What about all of the other steps mentioned by users xdigital and guitarplinker, such as: gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 Can I ignore them?
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3598
Merit: 1560
|
|
May 20, 2017, 09:12:50 PM |
|
nerioseole: Okay. Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly? What about all of the other steps mentioned by users xdigital and guitarplinker, such as: gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 Can I ignore them? those steps are for fetching the gpg key but the software you used already did that for you:
|
|
|
|
jlp
|
|
May 22, 2017, 10:18:34 PM |
|
I didn't see any indication from GPG that it verified that the downloaded image was unchanged, in addition to being signed properly? Did it verify that the downloaded image was unchanged? I disconnected my Mac from the internet, booted up Mac OS from a bootable USB. I tried to install electrum-2.8.2.dmg, but my Mac gave me the following message: “Electrum” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.
“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017. Am I correct to assume that I can ignore this and go to Preferences > Security & Privacy > Allow apps downloaded from: Anywhere (or open anyway) ?
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
May 23, 2017, 08:11:52 AM Last edit: May 23, 2017, 08:21:53 AM by pooya87 |
|
- to check the signature of a file you need 3 things: * the file (.dmg file) * the signature file (.asc file) * and the public key (7F9470E6) here are a couple of things that are confusing about GPG and needs translation: gpg: Good signature from "Thomas Voegtlin ... means the signature was correct, aka you have downloaded the right file. gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. means you have not added the public key (7F9470E6) to your list of trusted keys. you don't have to do this. if you want the warning to go away basically you have to add the key to your list and sign it with your own key. read this: https://security.stackexchange.com/questions/108471/verifying-a-downloaded-file-with-gpgthe same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
jlp
|
|
May 23, 2017, 12:34:20 PM |
|
the same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.
Yes, the following message from my Mac is from GateKeeper: “Electrum” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.
“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017. From Apple https://support.apple.com/en-ca/HT202491: For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven't been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed. I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app. Should I ignore the GateKeeper message and install anyways ?
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
May 23, 2017, 12:48:15 PM |
|
I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app.
Should I ignore the GateKeeper message and install anyways ?
"The cost is 99 USD per membership year." I'm not surprised at all... Yes, if you downloaded from the Electrum website and have confirmed that the package is signed with Thomas' key, then the package is unmodified. Go ahead and install it.
|
|
|
|
adaseb
Legendary
Offline
Activity: 3738
Merit: 1708
|
|
May 23, 2017, 09:11:15 PM |
|
Is there anyway to verify the download offline in Ubuntu ?
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
May 24, 2017, 04:03:10 AM |
|
Is there anyway to verify the download offline in Ubuntu ?
i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work. you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file. and you would need to change the gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 line to something else so that gpg takes the key from your file instead of the server. i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
adaseb
Legendary
Offline
Activity: 3738
Merit: 1708
|
|
May 24, 2017, 04:28:38 PM |
|
Is there anyway to verify the download offline in Ubuntu ?
i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work. you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file. and you would need to change the gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6 line to something else so that gpg takes the key from your file instead of the server. i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there. I did more reading and this should of worked: gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 echo "6694D8DE7BE8EE5631BED9502BD5824B7F9470E6:6" | gpg --import-ownertrust - However you need internet access for that or it gives an error.
|
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 25, 2017, 10:21:57 AM |
|
This is what I get when hitting the version 2.9.3 Windows Standalone Executable file signature.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx 1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk 7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4 zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/ Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD 577hMthTTwWAlU9B0nke =YtfS -----END PGP SIGNATURE-----
I don't know the first f**king thing about what to do to verify whether this is a legit signature.
Why you gotta leave computer illiterates so in the dark is f**king nasty when $$$ are at stake.
Speaking for computer software illiterates everywhere that want to take precautions to safely store their bitcoins, I say - F**k the f**king computer world.
|
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 26, 2017, 07:21:46 AM |
|
BUMP
If you're going to tell people over and over and over, that you don't own your bitcoins unless you are in control of your private keys, get them off exchanges, get them off custodial services, and then when they come to Electrum to try and do what they're told, you throw these people a curve ball and show these signatures out of the blue, which is a pretty complicated business for a newbie, and then just leave them hanging - you are being jerks.
Either take signatures off the website, or explain to newbies what they are for and how to use them!
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
August 26, 2017, 11:33:44 PM |
|
Or people could stop being lazy and expect everything to be spoon-fed to them... Google exists for a reason... there are literally dozens of webpages and the odd video ( https://www.youtube.com/watch?v=Go7CBYWosLc windows, https://www.youtube.com/watch?v=h7vboUn3ahI Mac) that explain what the signatures are for and/or how to go about using them to verify that a file is legit... If people are so concerned about their "$$$", then maybe they should educate themselves and stop being "computer software illiterates". If you have enough time to log onto btctalk and moan about not knowing how to do something and insult people for not dropping everything they're doing to help you, you have enough time to use Google and your brain and go and learn something. Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files? "Be your own bank" also implies "Be your own security team" Besides, checking the signatures is not even mandatory... it is recommended, but isn't required to be able to use Electrum. Also, as a side note... - you are being jerks.
I say - F**k the f**king computer world.
Insulting the people you are asking for assistance, probably isn't the best way to get the assistance you desire... #justSaying
|
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 27, 2017, 08:23:34 AM |
|
"Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files?"
Actually, after some research, I went to gpgtools.org and downloaded some .dmg file (GPG_suite-2016.10v2.dmg)
But my computer didn't open it.
More research led to a "howtogeek" webpage which suggested I download either 7-Zip or DMG extractor to open my files.
So up to now, I need to download 2 files (hoping my antivirus stops any malware with these files) in order to begin the process of signature verification, which I guess will help validate that the Electrum files are genuine (?).
Good grief, I am lost.
(BTW, I know you are a conscientious helpful person HCP, just venting at how frustrating this is for a computer illiterate, nothing meant against you specifically)
|
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 27, 2017, 08:56:51 AM |
|
So I watched the Kleopatra video you linked, and seriously, to me it was the equivalent of going to have my car repaired, and the mechanic telling me "do I have to spoon feed you everything? Here is a video on how to change your timing belt, now GTFO and go do it yourself, you lazy loser"
Bottom line - Electrum is an excellent, user friendly wallet.
But if you want to check the integrity of the download files, you need to take a several hour course (maybe tens of hours if you are a true newbie starting from scratch) in digital signatures and how to verify them
Just putting the signatures up on the Electrum site near the files, and leaving them there with no more info, is confusing, to say the least, to many people. Unless you have deep computer/software knowledge, you can't properly verify the integrity of the Electrum files, and you might be better off trusting exchanges or 3rd parties to hold your money, rather than downloading corrupted files and watch your money disappear.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3052
Merit: 1031
RIP Mommy
|
|
August 27, 2017, 10:07:43 PM |
|
This is what I get when hitting the version 2.9.3 Windows Standalone Executable file signature.
Actually, after some research, I went to gpgtools.org and downloaded some .dmg file (GPG_suite-2016.10v2.dmg)
But my computer didn't open it.
It says "macOS" no less than 5 times on https://gpgtools.org/Do you know the difference between macOS & Windows? The first is a pleasurable operating system to use, the other is a daily mind-raping nightmare that can't even be legitimately called an operating system. Why are you trying to run macOS software on Windows? How are you even able to post on the internet? http://lmgtfy.com/?q=gpg+software+for+windows
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 28, 2017, 07:47:57 AM Last edit: August 28, 2017, 07:58:28 AM by Itty Bitty |
|
Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3052
Merit: 1031
RIP Mommy
|
|
August 28, 2017, 04:41:51 PM |
|
Bottom line - if there are fellow computer illiterates out there, keep your money in a bank, crypto isn't for us. At least that seems to be the Electrum (and its supporters here) attitude.
Actually, it's "don't spread FUD & keep up obviously false pretenses of 'computer illiteracy' belied by your own ability to post here at all". Something like a https://rationalwiki.org/wiki/Concern_troll
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 31, 2017, 05:30:28 PM Last edit: August 31, 2017, 06:27:58 PM by Itty Bitty |
|
Listen Butterball. I don't know if you're actually 16, or only post with the sophistication of a teen-ager. But someone who uses the internet only as an end user, goes to a few interent pages at their desktop computer, maybe downloads a program once or twice a year to their hard drive, well maybe one day this person decides to join the crypto enthusiasts and buys some bitcoin. He/she deposits bitcoin at an exchange, and then reads several people warning to get their coins off exchanges, maybe buy a hardware wallet, or download Electrum to their hard drive so they can control their private keys. So this person comes to Electrum download site, and sees Windows or Mac download, and next to it, something called a signature - something they've never seen before. What do you think this person will think when they see the gibberish of a signature? They will say -"If Electrum put it up there, it must be important. But what is this gobbly-gook, what do I do with it - I'm just an internet end-user who has never seen such a thing? How come there are no instructions? Is this signature critical to use electrum? Will my money be at risk if I don't use it?" What kind of a way is this to treat newbies when they come to download something as important as a wallet that will control their money? And all you can worry about is your pride? How goddamn thin skinned are you? Tell whoever is in charge of the download are, to find a way to explain to people what a signature is, and whether it's important enough to be required. Because if people see it up there, they are going to assume it must have been put up for a reason, and not as a decoration. Now stop worrying about your thin skin, and do something to help people new to crypto have a better user experience.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3052
Merit: 1031
RIP Mommy
|
|
August 31, 2017, 07:06:00 PM |
|
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
Itty Bitty
Member
Offline
Activity: 137
Merit: 14
|
|
August 31, 2017, 07:34:16 PM |
|
Stop replying to my posts, teen-ager.
I am not talking about myself, but all future visitors to electrum. Bitcoin's not worth $200 any more, and people who put their $$ into btc wallets deserve to understand better what they are supposed to do.
Don't answer my posts anymore Margarine. I need to hear from people whose minds have been on this planet longer than 16 years.
|
|
|
|
mr.mister
|
|
September 10, 2017, 03:10:31 AM |
|
How do I verify the Electrum download and signatures on a Mac?
Similar as example above, but do it for the dmg files: Open a terminal window (CMD + space bar, type Terminal --> Enter) gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg If for some reason you don't have gpg installed on your system, you can always download a very nice suite (which integrates well with Mail, btw - to encrypt or sign Emails, and manage private/public keys ...) from https://gpgtools.org. Example: gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg gpg: Signature made Tue Mar 21 10:42:38 2017 PDT using RSA key ID 7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [ultimate]
hey guys,
I am also trying to verify the electrum signature of my mac but I am getting an error.
here is what I have done:
i have dowloaded the thomasv@electrum.org private key.
Key id: 0451C3EF
Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7 32EB 4A5A 7F6F 0451 C3EF
Created: June 14, 2017 at 10:08 AM
i copied the entire contents of the signature file that is on the electrum.org file to a text file and named it 'electrum-2.9.2.dmg.asc.txt' and it is the same folder as the 'electrum-2.9.2.dmg' file.
then in terminal i typed the following.
'gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg'
Terminal's response is the following
gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line.
What I am doing wrong?
gpg: aka "ThomasV <thomasv1@gmx.de>" [ultimate] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [ultimate]
|
Bitcoin Cash (BCASH) is NOT the real Bitcoin
|
|
|
mr.mister
|
|
September 10, 2017, 03:25:03 AM |
|
I have a mac and I am having trouble verifying the electrum wallet signature. I followed instructions as best as possible according to this post. I have downloaded the thomasv@electrum.org public key issued on June 14th, 2017 Key ID: 0451C3EF Fingerprint: 2ECD 3D5B 47F6 91C4 D0C7 32EB 4A5A 7F6F 0451 C3EF I copied all the text on the signature file from the electrum.org site and saved it as: electrum-2.9.2.dmg.asc.txt and then placed it in the same folder as electrum-2.9.2.dmg the contents of the signature file are: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx 1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk 7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4 zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/ Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD 577hMthTTwWAlU9B0nke =YtfS -----END PGP SIGNATURE----- then in terminal I exectued the following command: gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg here is the output i got: gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. Can anyone tell me what I am doing wrong. Thank-you in advance
|
Bitcoin Cash (BCASH) is NOT the real Bitcoin
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
September 10, 2017, 03:55:39 AM |
|
gpg --verify electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg Please remember that the signature file (.sig or .asc) should be the first file given on the command line. i believe the gpg is looking for a file with a .sig or .asc type for the signature and you are giving it a .txt file containing the same thing. try renaming the file and remove the .txt from the end: mv electrum-2.9.2.dmg.asc.txt electrum-2.9.2.dmg.asc
then check with gpg
p.s. with a closer look your .asc file content does not look correct either. https://download.electrum.org/2.9.2/electrum-2.9.2.dmg.asc-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAABCgAGBQJZgyI9AAoJECvVgkt/lHDm/PMP/A32LeuqSOD3iSGlbUJ9bT+Y Lwsz3A7Z6CkqvKgLh3+IZkhJzqixBsZ4j4tH6moTCqmbnlAUSe5hCwMRBocj6AIZ /KLbWRPqXMGmZqPXKZmbVD5GrNBNq0YOXo6YaoPFYu4K7Vd1kxYEVL7XYfj7qhyr UEs+S5kngeEYn+WCixlODjsqPzKX4e77ouq/FY/bec900lSZMRHq31jBOfVGR5ow QRlP2JBLKIQpJNSKxtKInhNQ1lSX/F5OvhdWxROPPJclxZTphkDKX76WyqRqIlWs CvHHLzAJIovzMW0PiZd9YSDv8WFm5frh/xqWFSPkYaJrsTnFzHidP2X0M+T83EYX yu998/n5B1ACvW346JnuEKVMqWf/mKjLkgkm39HZU4RZlMfuofYDDTd/JqDgQFqk Q6Kzf9BYiXn0ZzcVZz27LPM6EGCRcvdnmNPGErTjt4CcN5+E11k4E76dFweHPbow 6Pq5y7Hf/WYglEqaFgSOpo6AbqKbDI9YpKQSROz4HGIqGS8Xhp2EBVHRQksL6AsS STltKisEMmNWLu41zkZczuE8el1RP/fpyuiCobCVPeQmeh+Pasi3oNFAY4TkR45L ms20BWF9iLUJAd6tKWcH+kbx0FFyr9pihP98nrlljGH+nBkt4vGseK5V5c29vFCZ UBN0IFw7G3KEGbtrehFe =TCRU -----END PGP SIGNATURE-----
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
September 10, 2017, 05:24:12 AM |
|
p.s. with a closer look your .asc file content does not look correct either.
You're right... it looks like the OP has actually copied the text from the "Windows Standalone Executable" signature file: https://download.electrum.org/2.9.3/electrum-2.9.3.exe.asc !!?!
|
|
|
|
mr.mister
|
|
September 10, 2017, 12:28:10 PM |
|
O.k. I recopied the correct (electrum-2.9.2.dmg.asc) signature file into a text file and tried both with a .sig and .asc ending, and still getting the same error. Originally I had accidentally had the signature file 2.9.3 which was the beta version. gpg finds electrum-2.9.2.dmg.sig file but it appears it does not recognize it as valid Opengpg data. Like I said, i tried both with a .sig and .asc ending. How does the thomasv@electrum.org PUB key I downloaded from the key server play into this, if in anyway? What else could I be doing wrong? the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending. thanks again P.S. Could it be that I am using pgp tools and not GnuPG? Does something maybe need to be changed in the signature file, like the heading maybe?
|
Bitcoin Cash (BCASH) is NOT the real Bitcoin
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
September 10, 2017, 10:22:22 PM |
|
the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.
Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc... How does the thomasv@electrum.org PUB key I downloaded from the key server play into this, if in anyway? Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it.
|
|
|
|
mr.mister
|
|
September 10, 2017, 10:45:43 PM |
|
the exact procedure I am following for creating the text file is copying the entire contents of it from electrum.org and then pasting it onto textedit and saving it. then I have to rename it because it automatically puts an rtf ending.
Can you not just right click the link for the .asc file and select "save link as..."? You should be able to just save the file directly from the browser rather than copy/pasting... it is possible that you are either missing data while copy/pasting or it is screwing up the newline/carriage return characters etc... How does the thomasv@electrum.org PUB key I downloaded from the key server play into this, if in anyway? Did you import the thomasv PUB key into your keychain? You need to make sure that you've created your own GPG keypair... and then imported his pubkey so that it can verify the file using it. PROGRESS gpg: Signature made Thu Aug 3 10:16:45 2017 -03 using RSA key ID 7F9470E6 gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2018-09-11 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 It says that the signature is valid now, but there is no indication that the signature belongs to the owner. Right clicking on the link, did the trick as far being able to read the asc file. This time when I executed the command, it imported one of Thomas's keys from 2011... Not sure if that's correct, you can see exactly what happened from my command above. Thanks again
|
Bitcoin Cash (BCASH) is NOT the real Bitcoin
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4316
<insert witty quote here>
|
|
September 11, 2017, 12:08:38 AM |
|
It is saying it is not certified by a trusted signature. This is fairly normal... it just means that none of your Trusted signatures has vouched for Thomas' signature.
PGP signatures work on a "web of trust"... for instance: Person A trusts you... You vouch for Person B... therefore Person A will trust Person B because you vouched for them. At the moment, no-one you trust (including yourself) has vouched for Thomas' signature, so you get the warning that the key is not certified... even though it is definitely the one used to sign the file (The "Good Signature" message)
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
September 11, 2017, 04:00:50 AM |
|
let me translate: gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys. if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys. https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signaturehttps://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
mr.mister
|
|
September 12, 2017, 02:23:15 PM |
|
let me translate: gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown] gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 gpg: i checked the signature versus the public key that you gave me which belonged to "Thomas...." and the signature checks out gpg: but this public key (6694 D8D....) is what you gave me right now, i didn't have it in my database before. and it is not in the list of "your" trusted public keys. if you want to get rid of that "warning" you just have to add it to your list. not sure the details of it but you basically create your own key and sign everything that you add and tell "GnuPG" that you trust these keys so that warning never shows up for those keys. https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signaturehttps://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trustedThank-you, and everyone else who has helped me.
|
Bitcoin Cash (BCASH) is NOT the real Bitcoin
|
|
|
Lupanx
Newbie
Offline
Activity: 7
Merit: 0
|
|
November 30, 2017, 10:28:52 PM |
|
Hi everyone, sorry to bring this up again, I'm new to bitcoin and i'm trying the following command...
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
and getting the following error:
gpg: keyserver receive failed: Server indicated a failure
Does anyone know what this means?
Thanks
|
|
|
|
treodu
Newbie
Offline
Activity: 11
Merit: 0
|
|
December 26, 2017, 05:11:41 PM |
|
I'm using Ubuntu, here what I have done: wget https[Suspicious link removed].asc wget https[Suspicious link removed] Following a post from reddit I did gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6gpg: requesting key 7F9470E6 from hkp server pool.sks-keyservers.net gpg: key 7F9470E6: "Thomas Voegtlin ( https://electrum.org) < thomasv@electrum.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg --fingerprint----------------------------------- pub 4096R/7F9470E6 2011-06-15 Key fingerprint = 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 uid Thomas Voegtlin ( https://electrum.org) < thomasv@electrum.org> uid ThomasV < thomasv1@gmx.de> uid Thomas Voegtlin < thomasv1@gmx.de> sub 4096R/2021CD84 2011-06-15 gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exegpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD gpg: Can't check signature: public key not foundSo what should I do next ? Thank tl;rl 1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6 2.sudo gpg --fingerprint 0x2BD5824B7F9470E6 3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate. -0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends -ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above gpg: Good signature from "Thomas Voegtlin should be displayed after step 3. if not then do more due diligence. How to verify a download: https://bitcointalk.org/index.php?topic=1733714.msg17346941#msg17346941https://www.torproject.org/docs/verifying-signatures.html.enI agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit. We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up. perhaps the donation requirement for post replies, or the negative experiences of experienced users have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help.
|
|
|
|
|
cellard
Legendary
Offline
Activity: 1372
Merit: 1250
|
|
January 16, 2018, 04:39:30 PM |
|
tl;rl 1.sudo gpg --keyserver pgp.mit.edu --recv-keys 0x2BD5824B7F9470E6 2.sudo gpg --fingerprint 0x2BD5824B7F9470E6 3.sudo gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz are the full and correct steps to verify electrum bitcoin wallet for all those searching to verify but find nothing accurate. -0x2BD5824B7F9470E6 comes from https://electrum.org/#download - look for ThomasV. link top of page friends -ensure the tar.gz and the .asc are both in the folder where you execute commandline syntax above gpg: Good signature from "Thomas Voegtlin should be displayed after step 3. if not then do more due diligence. How to verify a download: https://bitcointalk.org/index.php?topic=1733714.msg17346941#msg17346941https://www.torproject.org/docs/verifying-signatures.html.enI agree it is a crying shame help is not more forthcoming from experienced users, here, nor on reddit. We appreciate ThomasV. for his contribution and dont expect him to field newbie questions - that is where the community is supposed to step up. perhaps the donation requirement for post replies, or the negative experiences of experienced users have had but as a community bitcoin should stop pumping and return to its roots as a community that TRIES to help. The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this: gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6Im not sure if this: gpg --keyserver pgp.mit.edu --recv-keys 7F9470E6 would have worked? maybe you had to do use 7F9470E6 instead of 0x2BD5824B7F9470E6 or maybe it was because of the keyserver... anyhow, this is how it went: 1) download the latest .tar file on the Electrum site 2) do "gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6" on the folder which must contain the signature file + the .tar file 3) untar file 4) "python3 electrum" inside the Electrum folder, this will run Electrum live through python That is all.
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
January 17, 2018, 05:34:18 AM |
|
~ The first step didn't work for me. I don't now if it was because it was unable to connect to that keypool hosted on that .mit site, I had to use this:
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
these key servers sometimes go down for different reasons. high load, DDoS maybe, or maintenance or something like that. but i have experienced downtime with pgp.mit.edu multiple times. and it is easy to check if it is up or down, just open the link like this: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6and you will see a warning saying it is down. (well it currently is up as i am writing this).
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
|