Help With Checking Signature of Electrum Download

[techrun]

Hi Guys

I am a newbie trying to work out Bitcoin.  I've started this thread because I'm trying to work out how to check the signature of the Electrum Wallet Windows installer I've downloaded.  I thought I might ask for help as I go along (slowly ...)

So far I have:

- Downloaded electrum-2.3.2-setup.exe, the Windows installer

- Downloaded electrum-2.3.2-setup.exe.asc, the signature file

- Got Kleopatra installed on my computer.

The signature is signed by someone called Animazing, and I believe I have access to his public key from here:

http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x9914864DFC33499C6CA2BEEA22453004695506FD


Q1) Is this Animazing's correct public key, as given here:

http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x22453004695506FD


Q2) What is the next step?  I am guessing I have to load Animazing's public key into Kleopatra somehow, is that correct?


Thanks guys

[achow101]

Q1) Is this Animazing's correct public key, as given here:

http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x22453004695506FD

That is correct.

Q2) What is the next step?  I am guessing I have to load Animazing's public key into Kleopatra somehow, is that correct?


Thanks guys

Download Animazing's PGP key
Open up Kleopatra and go to File > Decrypt/Verify Files ...
Select the the electrum-2.3.2-setup.exe.asc.
Check the box for detached signature.
Click the button next to the first text box and select the setup exe file.
Click Decrypt/Verify and it will verify the signature.

[techrun]

Hi, thanks for your help.  

I have just tried the procedure you suggested in Kleopatra.  In the Results Window I get the following message:

electrum-2.3.2-setup.exe.asc: Not enough information to check signature validity.
Signed on 2015-06-15 12:11 by animazing[at]gmail.com (Key ID: 0x695506FD).
The validity of the signature cannot be verified.

What has gone wrong, and how can I rectify it?  

Thanks

[TheButterZone]

It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.

[techrun]

OK, thank you for that.

[techrun]

It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.

Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? 

[TheButterZone]

It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.

Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? 

Yes....

[pissedone]

It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.

Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? 

Yes....

 

... then why in the FUCK would you have a PGP signature.  Goddamit.

[TheButterZone]

It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.

Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally?  

Yes....

 

... then why in the FUCK would you have a PGP signature.  Goddamit.

Because all these signers help establish to some degree of certainty that they are who they say they are. Especially ThomasV, the lead Electrum dev. http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x9914864DFC33499C6CA2BEEA22453004695506FD

[oicu812ic]

... then why in the FUCK would you have a PGP signature.  Goddamit.

Ha that's funny.  I found this thread because I am in the same dilemma of trying to verify a developer's signature.

I'd like to know how you finally resolved this.  Thanks.

[Abdussamad]

... then why in the FUCK would you have a PGP signature.  Goddamit.

Ha that's funny.  I found this thread because I am in the same dilemma of trying to verify a developer's signature.

I'd like to know how you finally resolved this.  Thanks.

you download the binaries from electrum.org. the public keys you grab from github. both electrum.org and github would have to be compromised for the binaries to be fake.

furthermore you can check the web of trust i..e who trusts the gpg keys of animazing, thomasv and other developers. you can see that  gpg public key fingerprints are the same as the ones specified above in this thread. there are so many different places where these things are discussed. surely they can't all be fake?

[Coin-Keeper]

GPG/PGP is my thing.  I use it alot and study it.  Mentioned above but now I'll stress.  VERIFY the published FINGERPRINTS of the keys against those in your keyring, and you can be certain you have the valid and actual key.  There is NO way to make a fake key reflect the actual fingerprint of the real key.  Mathematically impossible by any known means of computation.  Anyone that would set or establish trust to a key without verifying the fingerprints is defeating the entire reason for such encryption validation.  Assuming you have verified the fingerprints and assigned trust, what does that do for future file release signatures?  Simple.  When a file is signed by a GPG key the private keyset is required to make that signature.  If a bogus file is released the bad actor will NOT have the private keyset making their signature invalid when YOU test the signature against the proven and trusted key.  Only the actual keyset can sign a file that will pass the test against this mathematical comparison.  Once you learn this process it takes a few seconds to do the test.  A very important consideration to this verification is that MITM methods are becoming increasingly technical.  There are sites that can fool some pretty advanced users and they look so real.  As good as they are, they can't beat the math, so use the math to be sure!


This is very similar to how we verify and sign BTC addresses here.  Given a specific btc address, only the holder of the specific private key can make a genuine signature using that specific address.  Just glance at my signature and click the link if you need to visualize this.

[oicu812ic]

Hi Coin-Keeper,
can you go to this thread? https://bitcointalk.org/index.php?topic=1718549.new#new

You will see there that I asked for help downloading Electrum.  Shorena kindly responded.  I told him I don't know how to use digital signatures and he referred me to a thread that theymos composed.

Okay, the SHA256 hash for Shorena's files checked out.  But I am stuck on how to verify Shorena's digital signature.  For one thing, I am assuming the digital signature he gave me is his own:

Code:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJYIy94AAoJECvVgkt/lHDmHPoP/3tACXQ8mwNCXCG+eviO/xKs
mEZNU0kWK7SWK2B0FmKqbZrT9lk/kXYQ0ewSqOEovy7SHTWwqlAoqmuUoaD3UaK3
UQ/QIoQvegifOcLwiltnfDc35XmyjC/ZeThmEsRUmvPHz76rxQQRbs3bKDNQjHeo
ySd7hZ0CVp90wTPwR9tYJ//XP38bb/cDJ3732kmTZkSnil6d2iZ5cSZnM8As7rcg
M/iEhSActjy8Iv4AzSD34GGEJwbagkIIcU68JETyIGOUqpDMDiDJTiGs6GnfJ+PP
J/q2MSbqustinavSCwgFmp49ZdU59h71F98DWOL+v76i5bmGHwxSrx2PalwAmQ02
gvmaLoMAS6qdRJIcCCFoemV1b4UaNdMBGvyGeo0Vl/1dpzC7u2W9DlIWcNb8zap6
a2+eU6m5ntkaPrKdgBetXSj3YYS6l1EtnRQwIxLsF4BgZJVAoGBkqvYEUkhMa5H4
RrNaDKdSyl7Qy9fnmM7CRrGHzw/wM7rHatlrU8034S0+xnlnZeB/nZ2/gZVOWFHP
1Kohxr3T0Uz5o3FP8EwYKd4OyHrxFGjQtJlwqy8aar/PeKTTHyBZxYEXOkd3wsio
kWoR+FL16UyUT64Hzwfo/uPEcW3AGxrrtDv1wzuupjvZoZSIZjBdjuO8XYZYCv4v
nFw0vJXx009GrwcRbvJZ
=wGyo
-----END PGP SIGNATURE-----

From the page he gives:

Key can be found here -> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

But I don't know how to find the key from that page!  Where is it?

But even if I know that it came from that page, how do I verify the signature?  I installed Kleopatra, but when I copy the signature into clipboard the choice to verify is grayed out.