How do I verify downloaded electrum using signature files?

[xdigital]

I'm using Ubuntu, here what I have done:

wget https://download.electrum.org/electrum-2.1.1.exe.asc
wget https://download.electrum.org/electrum-2.1.1.exe

Following a post from reddit
I did

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
gpg: requesting key 7F9470E6 from hkp server pool.sks-keyservers.net
gpg: key 7F9470E6: "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

gpg --fingerprint
-----------------------------------
pub   4096R/7F9470E6 2011-06-15
      Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
uid                  Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid                  ThomasV <thomasv1@gmx.de>
uid                  Thomas Voegtlin <thomasv1@gmx.de>
sub   4096R/2021CD84 2011-06-15

gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exe
gpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD
gpg: Can't check signature: public key not found


So what should I do next ? Thank

[guitarplinker]

On the Electrum download page, there's a note saying that "Sources are signed by ThomasV. Executables are signed by Animazing". Since you downloaded the executable version of Electrum rather than just the source files, it was signed by Animazing. Here's a link to his PGP key: http://bitcoin-otc.com/viewgpg.php?nick=Animazing

If you import Animazing's key, and then try to verify the signature of the executable, it should check out fine. I just tried it myself, and it verified as it should.

[Abdussamad]

I'm using Ubuntu, here what I have done:

The .exe file is for windows users. You should follow the instructions for linux and download the source tarball. That is signed by ThomasV.

[xdigital]

Thank guitarplinker for pointing it out. Got it verified now.
To Abdussamad: I'm have 2 machines, 1 is my main PC running Windows, 1 is Ubuntu server (which is also running a full bitcoin node).
I don't want to install gpg on the Windows machine, So I use Ubuntu.

Here is what I did.
Using the RSA key ID 695506FDfound from the last error, I get Amazing's key by changing the key of the first command.

gpg --keyserver pool.sks-keyservers.net --recv-keys 695506FD
gpg: requesting key 695506FD from hkp server pool.sks-keyservers.net
gpg: key 695506FD: public key "Animazing <animazing@gmail.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

gpg --verify electrum-2.1.1.exe.asc electrum-2.1.1.exe
gpg: Signature made Fri 24 Apr 2015 03:52:59 PM MDT using RSA key ID 695506FD
gpg: Good signature from "Animazing <animazing@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9914 864D FC33 499C 6CA2  BEEA 2245 3004 6955 06FD

[jlp]

How do I verify the Electrum download and signatures on a Mac?

[jlp]

nerioseole:

Thanks for your help and suggestions.

I downloaded http://download.electrum.org/2.8.2/electrum-2.8.2.dmg.asc and renamed the file to electrum-2.8.2.dmg.asc.txt.

I installed GPG from gpgtools.org.  I de-selected GPGMail because I don't use Apple's Mail.  I ran GPG and got the following, which is different than what you got.

Code:

$ gpg --verify electrum-2.8.2.dmg.asc.txt electrum-2.8.2.dmg
gpg: Signature made Tue 21 Mar 13:42:38 2017 EDT using RSA key ID 7F9470E6
gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
$

It seems that the verification failed.  What did I do wrong?

[jlp]

nerioseole:

Okay.  Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly?

What about all of the other steps mentioned by users xdigital and guitarplinker, such as:

Code:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Code:

gpg --fingerprint

Can I ignore them?

[Abdussamad]

nerioseole:

Okay.  Does this mean that I verified that the downloaded image was unchanged, in addition to being signed properly?

What about all of the other steps mentioned by users xdigital and guitarplinker, such as:

Code:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Code:

gpg --fingerprint

Can I ignore them?

those steps are for fetching the gpg key but the software you used already did that for you:

gpg: requesting key 7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported

[jlp]

I didn't see any indication from GPG that it verified that the downloaded image was unchanged, in addition to being signed properly?  Did it verify that the downloaded image was unchanged?

I disconnected my Mac from the internet, booted up Mac OS from a bootable USB.

I tried to install electrum-2.8.2.dmg, but my Mac gave me the following message:

“Electrum” can’t be opened because it is from an unidentified developer.

Your security preferences allow installation of only apps from the Mac App Store and identified developers.

“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017.

Am I correct to assume that I can ignore this and go to Preferences > Security & Privacy > Allow apps downloaded from: Anywhere (or open anyway) ?

[pooya87]

- to check the signature of a file you need 3 things:
* the file (.dmg file)
* the signature file (.asc file)
* and the public key (7F9470E6)

here are a couple of things that are confusing about GPG and needs translation:

Code:

gpg: Good signature from "Thomas Voegtlin ...

means the signature was correct, aka you have downloaded the right file.

Code:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

means you have not added the public key (7F9470E6) to your list of trusted keys. you don't have to do this. if you want the warning to go away basically you have to add the key to your list and sign it with your own key.

read this: https://security.stackexchange.com/questions/108471/verifying-a-downloaded-file-with-gpg

the same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.

[jlp]

the same goes for Mac, i think it is called GateKeeper that is preventing installation of any app that it doesn't recognize.

Yes, the following message from my Mac is from GateKeeper:

“Electrum” can’t be opened because it is from an unidentified developer.

Your security preferences allow installation of only apps from the Mac App Store and identified developers.

“Electrum” is on the disk image “electrum-2.8.2.dmg”. Safari downloaded this disk image on May 20, 2017.

From Apple https://support.apple.com/en-ca/HT202491:

For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven't been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed.

I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app.

Should I ignore the GateKeeper message and install anyways ?

[HCP]

I'm surprised that Electrum's developers would not have gotten a Developer ID from Apple and signed their app.

Should I ignore the GateKeeper message and install anyways ?

"The cost is 99 USD per membership year." I'm not surprised at all...

Yes, if you downloaded from the Electrum website and have confirmed that the package is signed with Thomas' key, then the package is unmodified. Go ahead and install it.

[adaseb]

Is there anyway to verify the download offline in Ubuntu ?

[pooya87]

Is there anyway to verify the download offline in Ubuntu ?

i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work.
you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file.
and you would need to change the

Code:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

line to something else so that gpg takes the key from your file instead of the server.
i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there.

[adaseb]

Is there anyway to verify the download offline in Ubuntu ?

i actually searched about this a while back but couldn't find anything that helped. but i still think technically it should work.
you have to find a way to give the signature for verifying. since this: https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6 can be saved as a file.
and you would need to change the

Code:

gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

line to something else so that gpg takes the key from your file instead of the server.
i don't know how because it never was necessary to do so, i download on linux, verify, and transfer to offline storage and install there.

I did more reading and this should of worked:

gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
echo "6694D8DE7BE8EE5631BED9502BD5824B7F9470E6:6" | gpg --import-ownertrust -



However you need internet access for that or it gives an error.

[Itty Bitty]

This is what I get when hitting the version 2.9.3 Windows Standalone Executable file signature.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJZjYhyAAoJECvVgkt/lHDmf5MP/2Qai6OUKCbG/146dRa7E6em
ZU4TqrRQofgW6Ya7hO9XG3T+5ji/5HF66/SJ+G3qNVcaJnLGL3KomN42sv52WANx
1/qeOfZckwrzC/k1AmIzR43/eaGUcC9Fr+orjz2eQlpE4qfQiijvGS6T6ZMQtJFC
axKCv0pA1VvnEMlQf+PScde/BF8wgGY43xa3pm0jrHXJu0Tbtl3JvuDrh9sI1Zan
fhjV7OldtOijNmvj0mAGbvuSjZKN3Pf3VKHD1acGQ92Owj19j/MB9lgesbrygvvk
7fX+9Lw9yl9BK9JD0xTnhrNTRZvVLp4fKskAF6KfhkJjm+bm+m+p/WTp1IfrywXY
CYx/GD6ZbSqrwnq7sEUhVaaLQC33G97Lwu1Jmsm8fu5iy+QcE7kCa+Pu9C8kv1e4
zwVK/kiyHQSY8m506GgrJhtfODmeTloryUNterKoFaRjuN9bRPxotr85QdhVy4Ci
PoWW8+tHttmHsLfF9CtcmYkzSSYyB+HsTSvhkgs/Rl4zJ2526Xw4i10scfD0dhar
ikk8OONbYFWO0LJSgakqcezhYgGqMiyw7jXMS+II1QSvCHDgpCpnLekoYclH/lo/
Kdzq/OwUdm3peh39hggy5LwciC3OXG9EslhNlP6HqK9rg1AAsGGAoIr+jpbmRBqD
577hMthTTwWAlU9B0nke
=YtfS
-----END PGP SIGNATURE-----



I don't know the first f**king thing about what to do to verify whether this is a legit signature.

Why you gotta leave computer illiterates so in the dark is f**king nasty when $$$ are at stake.

Speaking for computer software illiterates everywhere that want to take precautions to safely store their bitcoins, I say - F**k the f**king computer world.

[Itty Bitty]

BUMP

If you're going to tell people over and over and over, that you don't own your bitcoins unless you are in control of your private keys, get them off exchanges, get them off custodial services, and then when they come to Electrum to try and do what they're told, you throw these people a curve ball and  show these  signatures out of the blue, which is a pretty complicated business for a newbie, and then just leave them hanging - you are being jerks.

Either take signatures off the website, or explain to newbies what they are for and how to use them!

[HCP]

Or people could stop being lazy and expect everything to be spoon-fed to them...

Google exists for a reason... there are literally dozens of webpages and the odd video (https://www.youtube.com/watch?v=Go7CBYWosLc windows, https://www.youtube.com/watch?v=h7vboUn3ahI Mac) that explain what the signatures are for and/or how to go about using them to verify that a file is legit...

If people are so concerned about their "$$$", then maybe they should educate themselves and stop being "computer software illiterates". If you have enough time to log onto btctalk and moan about not knowing how to do something and insult people for not dropping everything they're doing to help you, you have enough time to use Google and your brain and go and learn something. Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files?

"Be your own bank" also implies "Be your own security team"


Besides, checking the signatures is not even mandatory... it is recommended, but isn't required to be able to use Electrum.

Also, as a side note...

- you are being jerks.

I say - F**k the f**king computer world.

Insulting the people you are asking for assistance, probably isn't the best way to get the assistance you desire... #justSaying

[Itty Bitty]

"Did you do ANYTHING in the 21 hours between your posts to investigate PGP signatures and how they're used to verify files?"

Actually, after some research, I went to gpgtools.org and downloaded some .dmg file (GPG_suite-2016.10v2.dmg)

But my computer didn't open it.

More research led to a "howtogeek" webpage which suggested I download either 7-Zip or DMG extractor to open my files.

So up to now, I need to download 2 files (hoping my antivirus stops any malware with these files) in order to begin the process of signature verification, which I guess will help validate that the Electrum files are genuine (?).

Good grief, I am lost.

(BTW, I know you are a conscientious helpful person HCP, just venting at how frustrating this is for a computer illiterate, nothing  meant against you specifically)

[Itty Bitty]

So I watched the Kleopatra video you linked, and seriously, to me it was the equivalent of going to have my car repaired, and the mechanic telling me "do I have to spoon feed you everything? Here is a video on how to change your timing belt, now GTFO and go do it yourself, you lazy loser"

Bottom line - Electrum is an excellent, user friendly wallet.

But if you want to check the integrity of the download files, you need to take a several hour course (maybe tens of hours if you are a true newbie starting from scratch)  in digital signatures and how to verify them

Just putting the signatures up on the Electrum site near the files, and leaving them there with no more info, is confusing, to say the least, to many people. Unless you have deep computer/software knowledge, you can't properly verify the integrity of the Electrum files, and you might be better off trusting exchanges or 3rd parties to hold your money, rather than downloading corrupted files and watch your money disappear.