Electrum validation not possible!

[MixMAx123]

For some time now I have been trying to verify the authenticity of the standalone executabel "electrum-3.0.2.exe.

I'm pissed off because I'm not able to check the authenticity and there is no evidence on the page https://electrum.org/#download!

- Where is the hash in the signature?
- Why is signature with gpg4usb diagnosed as FALSE?
- Why is the Portable Version recognized as VIRUS?

Your work in all honor, even if the software is free, you still have RESPONSIBILITY!
How should please check the normal user's authenticity if you have not even got the hashes in the signature?

There are no instructions on your side how to verify the authenticity of your signature. That does not work like this!

Are you not interested in the fact that there are various fake sites on the net that copy https://electrum.org/#home and spread scam software?

I expect an opinion!
Until then I will understand https://electrum.org/#home as fraud software and spread!

[xdrpx]

To begin with inorder to verify your portable electrum's signatures you'll need the following:

1) https://download.electrum.org/3.0.2/electrum-3.0.2-portable.exe.asc (The signature to the electrum 3.0.2 portable binary)
2) The portable binary file (download this from electrums website. I'm presuming you have already.)
3) ThomasV's signatures which he uses to sign the executables. https://pgp.mit.edu/pks/lookup?op=get&search=0x2BD5824B7F9470E6

To ease your process of verifying the signatures I've already written the steps over here - https://bitcointalk.org/index.php?topic=2463893.msg25237293#msg25237293 (Also the 4th point will take you to another thread where I've written how to add ThomasV's public keys as trusted on your local PC)

I haven't used gpg4usb, so I'm unable to comment on how it works.

About the virus, most of it are false positives from previous anti-virus scans. Most of these anti-viruses have updated their databases with the correct results and now it isn't listed as a false-positive anymore - https://www.virustotal.com/#/url/b16a36b41b609e5e7a20b0494570f57807aca88575081ddfaf9456fb17655007/detection

If you still don't trust the binaries, I recommend you build from source which I've also written steps for in the bitcoin thread of mine above. This will be for your comfort so as to ensure that you feel safe since you're building from source. I hope this eases your anger

[MixMAx123]

Could you please send the hash of electrum-3.0.2.exe !!!

I will try it with your guide yet.
But I still do not understand why they can not copy the HASH (SHA-256) in the signature? That would save a lot of work!

Many thanks for the answer!

Could someone please send me the hash!

[MixMAx123]

The signature is FALSE !





In your instructions but only explains how to verify the signature. I would like to check the electrum.exe! What will Sigantur bring me if the .exe is the wrong one?

Please put the HASH in the signature!


Edit: This is what the Signator looks like from the Bitcoin Cor.
Why can not they put the hashs in the box?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

d64d2e27cad78bbd2a0268bdaa9efa3f1eca670a4fab462b5e851699c780e3a0  bitcoin-0.15.1-aarch64-linux-gnu.tar.gz
ceba092c9a390082ff184c8d82a24bc34d7f9b421dc5c1e6847fcf769541f305  bitcoin-0.15.1-arm-linux-gnueabihf.tar.gz
231e4c9f5cf4ba977dbaf118bf38b0fde4d50ab7b9efd65bee6647fb14035a2c  bitcoin-0.15.1-i686-pc-linux-gnu.tar.gz
b6771c5d67fb6b9c4882cc351e579470a008211d76407155e544b28b00fcd711  bitcoin-0.15.1-osx64.tar.gz
0ce5ca1ba424603526d8a40d9321f1f735797a7205a7fbbe39561c078f2a0858  bitcoin-0.15.1-osx.dmg
34de2dbe058c1f8b6464494468ebe2ff0422614203d292da1c6458d6f87342b4  bitcoin-0.15.1.tar.gz
cc7a31d8fece1462955bddef87945420721e42cfe6af589a36547b0940851765  bitcoin-0.15.1-win32-setup.exe
4d2ad1371df1904367955d3f250212d0edd9f338c26d5cd60d7d8ce3f1733f5a  bitcoin-0.15.1-win32.zip
905a5999fb52b083d7e3bedb2dc6704ca641823f81865db58a55a6a20b454d8c  bitcoin-0.15.1-win64-setup.exe
b858521496c0d7699a6916c20767cdb123eb39be70ffc544d6876b08af3b696a  bitcoin-0.15.1-win64.zip
387c2e12c67250892b0814f26a5a38f837ca8ab68c86af517f975a2a2710225b  bitcoin-0.15.1-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJaBwCWAAoJEJDIAZ42wulkUREQAIBqO799fgiPJG+Nwvd7zNrN
cxRBw5aZOV70nZb0uhhaRwJm1roIMYGcZwdwSdumg0fH0772fbvReqwd6dq8aDme
RqPZPGy2PnDl5DFvD3I66jKFnxDv+5JYhR16Rx5KS7SPH/X1HbnZkiI020pRZtRV
x5P75K466/PJl17c6ESNBghKLup71ZvsfKgTDRng81IGvb0P7RMWRiHlhD47LkoS
lPcprP/abikboXhaYSwBK7JEp5tiKbtACZTdzVT91xy4kDUoyNdR6c6SylD+81xl
xjDBrW33pVf1XseQOao1JQ2J6G2WwtOyiFupf0xadi8BvsNcT7jlHW2+QfHJuQDu
4qdcEWAJNVSpEii8s2EewVqr1ZJl6n+wGZd615cLBTvx59qyhKrfui9ddA6n9r+d
njseBiOf7Azk+kygJQGG/LuLr8yM3IJd4epiK7jeDfCNkYkck+2jInQLwteTCWVD
1DmG0mgGVVZ7NvEyK4AvR0djk2+a6948Alog4SDN9KNjC7KTuznlKr77yPntKjXc
NIcHTx0oLCS4l86sfAd6hprJlC9/HJ1EH1c/EYICvq1zmrTzhEu7MHZT2THsPHE/
V9wfYwqfIwU3BUyYQJCQrNsqfGix67tf27E+A8PiNWDtTXj46WLtJHUgcJleYzze
mN90rQS7PO1XX3//5nKh
=6mwW
-----END PGP SIGNATURE-----

[xdrpx]

Since you're looking to check the data integrity of your exe file, the checksums aren't provided on the website but you can verify it with mine if you need to. I have downloaded all the binaries from the torrent file linked on the website and here's my checksum values:




1491c3888ccaadacd795f8e1da247e05 [MD5]
423186aa79c0e245e17ffece79d5a15464de44ac [SHA-1]
adbe7a02700ec0466af70dbd842a3fb5f26e142f03ce41bb3f275c79310b873e [SHA256]

The signatures are the only things provided on the website because if the binaries were to be maliciously replaced on the website, then you could verify the data autheticity using signatures which could not be done with checksums. Also, checksums can only be used to check if the data you've downloaded isn't partial or damaged, but there's no element of trust tied to it. There's also the risk of hash collisions with checksums and any malware could easily manipulate it. I'm only providing you the checksums since you've asked, but it's not the way to check data authenticity.

[MixMAx123]

"Since you're looking to check the data integrity of your exe file, the checksums aren't provided on the website"   I do not understand that?

But thanks for the hashes!

For me, this is now alright and done. Many Thanks!

But for others, the hashes should be in the signature!




Edit: Do you mean that I can check the data integrity with the signature like a hash?
So far I was aware of the possibility by a hash. And I still think SHA-256 is very safe! Kollisoienen and manipulations the hash I do not consider possible.

[xdrpx]

"Since you're looking to check the data integrity of your exe file, the checksums aren't provided on the website"   I do not understand that?

But thanks for the hashes!

For me, this is now alright and done. Many Thanks!

But for others, the hashes should be in the signature!

All I meant there was the checksums aren't provided on the website, but since you wanted to verify the integrity of the .exe file I had shared the same with you after downloading the files myself.

There's already been discussions here https://github.com/spesmilo/electrum/issues/3243 and here https://bitcointalk.org/index.php?topic=1892435.0 about data integrity and I hope they would help you understand better. A comment by pooya87 on the 2nd thread should probably let you know that downloads often are well handled by modern download managers and browser to prevent such issues.

[MixMAx123]

Do you mean that I can check the data integrity with the signature like a hash?
So far, only the possibility was known to me through a hash. And I still think SHA-256 is very safe! Kollisoienen and manipulations the hash I do not consider possible.
Of course, only if the hash is part of the signature.

[Coin-Keeper]

Since you're looking to check the data integrity of your exe file, the checksums aren't provided on the website but you can verify it with mine if you need to. I have downloaded all the binaries from the torrent file linked on the website and here's my checksum values:




1491c3888ccaadacd795f8e1da247e05 [MD5]
423186aa79c0e245e17ffece79d5a15464de44ac [SHA-1]
adbe7a02700ec0466af70dbd842a3fb5f26e142f03ce41bb3f275c79310b873e [SHA256]

The signatures are the only things provided on the website because if the binaries were to be maliciously replaced on the website, then you could verify the data autheticity using signatures which could not be done with checksums. Also, checksums can only be used to check if the data you've downloaded isn't partial or damaged, but there's no element of trust tied to it. There's also the risk of hash collisions with checksums and any malware could easily manipulate it. I'm only providing you the checksums since you've asked, but it's not the way to check data authenticity.

For the record:  anything less than SHA256 is considered completely inadequate (cryptographically) at this point.  MD5 and Sha1 have been compromised and shown to be less than needed.  Sha256 is decent but it relies upon knowing you are downloading from the actual site.  If I were to host a man in the middle site with bogus files I would also place a sha256 matching sig on my site that matches the bogus file.  This way when you confirm the sha256 you think you have the real deal.  Only using the PGP/GPG key allows for certainty.  This point may seem moot but think about my example here.  It would be easy to do!

[MixMAx123]

Absolutely correct is that everything is safe only from SHA-256!

As I have repeatedly demanded the hash in the signature!
A fake signature with a false hash would not be possible!

Writing the hash on the website is not safe!

[MixMAx123]

" If I were to host a man in the middle site with bogus files I would also place a sha256 matching sig on my site that matches the bogus file."

Then the signature would be wrong!
That could be checked immediately!

[HCP]

Your problem, is that you are attempting to use "Bitcoin Core" process... on "Electrum".

Bitcoin Core just create a PGP signed "text message" that includes the SHA256 checksums of their download files.
Electrum on the other hand, digitally signs the installer files themselves... and gives you a copy of the "signature" file with which you can verify the installer file.

Your "gpg4usb" app only seems to support verifying text messages... not verifying the digital signature embedded in a binary installer file.


Also, was it really necessary to spam 5 different threads whining that your preferred way of verifying files is not how ThomasV has chosen to implement file verification?

[MixMAx123]

Yes it is necessary! There are a lot of people who have problems with the signature.
Because testing with PGP is outdated and too complicated!
Writing the hash in the signature, as it is with Bitcoin Core, would be a bit easier for the users.
There is not even a reasonably good guide on the Electrum website!

Many users complain about it!

Here there is urgent need for action!

Therefore, it is absolutely necessary that I spam and howl here.
If I can achieve something positive through this, I like to be evil.

[ranochigo]

Yes it is necessary! There are a lot of people who have problems with the signature.
Because testing with PGP is outdated and too complicated!
Writing the hash in the signature, as it is with Bitcoin Core, would be a bit easier for the users.
There is not even a reasonably good guide on the Electrum website!

Many users complain about it!

Here there is urgent need for action!

Therefore, it is absolutely necessary that I spam and howl here.
If I can achieve something positive through this, I like to be evil.

Testing with PGP is also the safest.

With Bitcoin Core, you are supposed to verify the validity of the message first BEFORE matching the SHA256 with your download. The main problem is with that, many people are skipping the first step and directly to the second. This essentially gives them a false sense of security. PGP is not outdated nor complicated. It's basically just importing the key (same as Bitcoin Core) then verifying it. I'm using gpg4win and that doesn't seem complicated at all.

If you're going to provide a sense of security, might as well as ensure that people are doing it right.

[MixMAx123]

If it's that easy with gpg4win, can you show me a simple tutorial?

[ranochigo]

If it's that easy with gpg4win, can you show me a simple tutorial?

Sure.

1. Import ThomasV's key by going to https://electrum.org/#download and click on the link at the header, download his public key and import it.
2. Download both the file you are using and the signature file. Make sure that they're in the same directory.
3. Click on decrypt/verify. Select the signature file.
4. Look at the certificate and verify it against the one you've imported.
5. If it matches, you will know ThomasV signed it.

Just for the sake of verifying it, I've done it myself all from scratch. No difficulties at all, if you have any, feel free to post here, would be good for others too.

[MixMAx123]

That is very nice of you!
I will document every step in this post.
And always edit it.
To make it easier for the following users

1.   Download gpg4win
https://www.gpg4win.de/index.html    download gpg4win-3.0.1.exe   (SHA-256:   f05e5d272a794002149effc516f4b32f62fa575563f632b084bd044017b1206f   )

2. Install gpg4win-3.0.1.exe  (Win.10)
Select components to install: Cleopatra, GpgOL, GpgEX

3. Run "Kleopatra"  
- The program is now called Kleopatra, for whatever reason.

4. go on Webseite: https://electrum.org/#download
- click on ThomasV on the line which says: "Sources and executables are signed by ThomasV"
 How do I get this image displayed directly here?
- click on the first line, where it says pub.

- You should see a line with dashes and it says "Begin Public Key Block". Copy the text from the first hyphen to the end of the document in the clipboard (Ctrl + C)

4. switch to Kleopatra

- go to Kleopatra and press Clipboard and press Certificate Import
- A message will appear, then read and confirm it. The ThomasV certificate is now imported into Kleopatra

5. Go back to the Electrum website
http://www.bilder-upload.eu/upload/4b87fb-1512312271.png
- Create a new folder on your PC and upload your desired file to this folder
- Click on the corresponding "signature" on the Electrum website
http://www.bilder-upload.eu/upload/48492f-1512312958.png
- The signature must be copied back to the clipboard
- Create a new (empty) text file in the same folder where you saved the Electrum software.
- The filename of the text file must be the same as that of the program, additionally with .txt at the end: "electrum-3.0.2.exe.txt"
http://www.bilder-upload.eu/upload/d16cef-1512335523.png
- Now copy the contents of the clipboard into the text file

6. switch to Kleopatra
- Click on decrypt/verify Select the signature file

- Click on the signature text file you have created
- Now the following message appears:



Now they are ready :-)

Whether that is so right, I can not judge. And what this message has to mean me is not really clear.
Is the signature correct?

It would be very nice, if someone from the forum corrected my instructions again and translated into a beautiful English. I translated it only with Google Translate.

In addition, it would be of great interest to post this or any other suitable tutorial on the website of Electrum!

Many Thanks!

[ranochigo]

2. Install gpg4win-3.0.1.exe  (Win.10)
Select components to install: Cleopatra, GpgOL, GpgEX that's right ?

To be honest, the installation process was just me pressing next all the way. But yes.

3. Run "Kleopatra"   Why is the program now called "Cleopatra"? Very confusing!  is that´s right?

Yeah, I don't really like gpg4win too but its pretty easy once you get started.

Which link?

Click on ThomasV on the line which says:

Sources and executables are signed by ThomasV

. Should bring you to a link.

Do you mean this link? https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

It's that, as of this post.

How to download, and where and how to import? Which format does this key have, is it a text file a binary file or what?

Just click on the first line, where it says pub. You should see a line with dashes and it says "Begin Public Key Block". Copy everything down. Next, go to kleopatra and press clipboard and press certificate import.

[MixMAx123]

I finished now the complete instruction in the upper contribution. With beautiful pictures. :-)

Whether that is so right, I can not judge. And what this message has to mean me is not really clear.
Is the signature correct?

It would be very nice, if someone from the forum corrected my instructions again and translated into a beautiful English. I translated it only with Google Translate.

In addition, it would be of great interest to post this or any other suitable tutorial on the website of Electrum!

Many Thanks!