techrun (OP)
Newbie
Offline
Activity: 22
Merit: 0
|
|
July 07, 2015, 10:00:28 PM |
|
Hi Guys I am a newbie trying to work out Bitcoin. I've started this thread because I'm trying to work out how to check the signature of the Electrum Wallet Windows installer I've downloaded. I thought I might ask for help as I go along (slowly ...) So far I have: - Downloaded electrum-2.3.2-setup.exe, the Windows installer - Downloaded electrum-2.3.2-setup.exe.asc, the signature file - Got Kleopatra installed on my computer. The signature is signed by someone called Animazing, and I believe I have access to his public key from here: http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x9914864DFC33499C6CA2BEEA22453004695506FDQ1) Is this Animazing's correct public key, as given here: http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x22453004695506FDQ2) What is the next step? I am guessing I have to load Animazing's public key into Kleopatra somehow, is that correct? Thanks guys
|
|
|
|
achow101
Staff
Legendary
Offline
Activity: 3444
Merit: 6737
Just writing some code
|
|
July 08, 2015, 01:39:56 AM |
|
That is correct. Q2) What is the next step? I am guessing I have to load Animazing's public key into Kleopatra somehow, is that correct?
Thanks guys
Download Animazing's PGP key Open up Kleopatra and go to File > Decrypt/Verify Files ... Select the the electrum-2.3.2-setup.exe.asc. Check the box for detached signature. Click the button next to the first text box and select the setup exe file. Click Decrypt/Verify and it will verify the signature.
|
|
|
|
techrun (OP)
Newbie
Offline
Activity: 22
Merit: 0
|
|
July 13, 2015, 11:15:36 PM |
|
Hi, thanks for your help.
I have just tried the procedure you suggested in Kleopatra. In the Results Window I get the following message:
electrum-2.3.2-setup.exe.asc: Not enough information to check signature validity. Signed on 2015-06-15 12:11 by animazing[at]gmail.com (Key ID: 0x695506FD). The validity of the signature cannot be verified.
What has gone wrong, and how can I rectify it?
Thanks
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3010
Merit: 1031
RIP Mommy
|
|
July 14, 2015, 12:19:37 AM |
|
It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
techrun (OP)
Newbie
Offline
Activity: 22
Merit: 0
|
|
July 14, 2015, 10:07:40 AM |
|
OK, thank you for that.
|
|
|
|
techrun (OP)
Newbie
Offline
Activity: 22
Merit: 0
|
|
July 14, 2015, 08:17:45 PM |
|
It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.
Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally?
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3010
Merit: 1031
RIP Mommy
|
|
July 14, 2015, 08:36:32 PM |
|
It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.
Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? Yes....
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
pissedone
Newbie
Offline
Activity: 1
Merit: 0
|
|
June 05, 2016, 07:15:29 AM |
|
It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.
Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? Yes.... ... then why in the FUCK would you have a PGP signature. Goddamit.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3010
Merit: 1031
RIP Mommy
|
|
June 05, 2016, 07:42:09 AM |
|
It will say that as long as you haven't signed 0x695506FD, which you shouldn't do unless you've met them in person to verify they own 0x695506FD.
Would I be right in saying then that Kleopatra has successfully checked the Electrum signature, but it can't give me the complete OK because I don't know/trust Animazing personally? Yes.... ... then why in the FUCK would you have a PGP signature. Goddamit. Because all these signers help establish to some degree of certainty that they are who they say they are. Especially ThomasV, the lead Electrum dev. http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x9914864DFC33499C6CA2BEEA22453004695506FD
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
oicu812ic
Newbie
Offline
Activity: 5
Merit: 0
|
|
December 27, 2016, 04:12:57 AM |
|
... then why in the FUCK would you have a PGP signature. Goddamit. Ha that's funny. I found this thread because I am in the same dilemma of trying to verify a developer's signature. I'd like to know how you finally resolved this. Thanks.
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3640
Merit: 1571
|
|
December 28, 2016, 02:13:59 PM |
|
... then why in the FUCK would you have a PGP signature. Goddamit. Ha that's funny. I found this thread because I am in the same dilemma of trying to verify a developer's signature. I'd like to know how you finally resolved this. Thanks. you download the binaries from electrum.org. the public keys you grab from github. both electrum.org and github would have to be compromised for the binaries to be fake. furthermore you can check the web of trust i..e who trusts the gpg keys of animazing, thomasv and other developers. you can see that gpg public key fingerprints are the same as the ones specified above in this thread. there are so many different places where these things are discussed. surely they can't all be fake?
|
|
|
|
Coin-Keeper
|
|
December 28, 2016, 08:24:48 PM Last edit: December 28, 2016, 08:36:41 PM by Coin-Keeper |
|
GPG/PGP is my thing. I use it alot and study it. Mentioned above but now I'll stress. VERIFY the published FINGERPRINTS of the keys against those in your keyring, and you can be certain you have the valid and actual key. There is NO way to make a fake key reflect the actual fingerprint of the real key. Mathematically impossible by any known means of computation. Anyone that would set or establish trust to a key without verifying the fingerprints is defeating the entire reason for such encryption validation. Assuming you have verified the fingerprints and assigned trust, what does that do for future file release signatures? Simple. When a file is signed by a GPG key the private keyset is required to make that signature. If a bogus file is released the bad actor will NOT have the private keyset making their signature invalid when YOU test the signature against the proven and trusted key. Only the actual keyset can sign a file that will pass the test against this mathematical comparison. Once you learn this process it takes a few seconds to do the test. A very important consideration to this verification is that MITM methods are becoming increasingly technical. There are sites that can fool some pretty advanced users and they look so real. As good as they are, they can't beat the math, so use the math to be sure!
This is very similar to how we verify and sign BTC addresses here. Given a specific btc address, only the holder of the specific private key can make a genuine signature using that specific address. Just glance at my signature and click the link if you need to visualize this.
|
|
|
|
oicu812ic
Newbie
Offline
Activity: 5
Merit: 0
|
|
December 30, 2016, 02:02:06 AM |
|
Hi Coin-Keeper, can you go to this thread? https://bitcointalk.org/index.php?topic=1718549.new#newYou will see there that I asked for help downloading Electrum. Shorena kindly responded. I told him I don't know how to use digital signatures and he referred me to a thread that theymos composed. Okay, the SHA256 hash for Shorena's files checked out. But I am stuck on how to verify Shorena's digital signature. For one thing, I am assuming the digital signature he gave me is his own: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAABCgAGBQJYIy94AAoJECvVgkt/lHDmHPoP/3tACXQ8mwNCXCG+eviO/xKs mEZNU0kWK7SWK2B0FmKqbZrT9lk/kXYQ0ewSqOEovy7SHTWwqlAoqmuUoaD3UaK3 UQ/QIoQvegifOcLwiltnfDc35XmyjC/ZeThmEsRUmvPHz76rxQQRbs3bKDNQjHeo ySd7hZ0CVp90wTPwR9tYJ//XP38bb/cDJ3732kmTZkSnil6d2iZ5cSZnM8As7rcg M/iEhSActjy8Iv4AzSD34GGEJwbagkIIcU68JETyIGOUqpDMDiDJTiGs6GnfJ+PP J/q2MSbqustinavSCwgFmp49ZdU59h71F98DWOL+v76i5bmGHwxSrx2PalwAmQ02 gvmaLoMAS6qdRJIcCCFoemV1b4UaNdMBGvyGeo0Vl/1dpzC7u2W9DlIWcNb8zap6 a2+eU6m5ntkaPrKdgBetXSj3YYS6l1EtnRQwIxLsF4BgZJVAoGBkqvYEUkhMa5H4 RrNaDKdSyl7Qy9fnmM7CRrGHzw/wM7rHatlrU8034S0+xnlnZeB/nZ2/gZVOWFHP 1Kohxr3T0Uz5o3FP8EwYKd4OyHrxFGjQtJlwqy8aar/PeKTTHyBZxYEXOkd3wsio kWoR+FL16UyUT64Hzwfo/uPEcW3AGxrrtDv1wzuupjvZoZSIZjBdjuO8XYZYCv4v nFw0vJXx009GrwcRbvJZ =wGyo -----END PGP SIGNATURE----- From the page he gives: But I don't know how to find the key from that page! Where is it? But even if I know that it came from that page, how do I verify the signature? I installed Kleopatra, but when I copy the signature into clipboard the choice to verify is grayed out.
|
|
|
|
|