Bitcoin Forum
October 23, 2019, 01:10:49 AM *
News: Help collect the most notable posts made over the last 10 years.
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: What is "Animazing" and why does it come up with ThomasV's pub key?  (Read 138 times)
sedate
Newbie
*
Offline Offline

Activity: 5
Merit: 2


View Profile
March 15, 2019, 07:28:10 PM
Merited by LoyceV (1)
 #1

So I'm trying to verify my 3.3.4 installer like a good little bitcoiner and keep running into stupid + weird problems.

Discussing the electrum.org/#download page ->

When I try to grab ThomasV's public key from the top link, I get shunted to some login page for analytics.sumptuouscaptial.com.

When I try to grab ThomasV' public key from the bottom link I get some weird key - in addition to the usual ThomasV key with the verified fingerprint another certificate called "Animazing@gmail.com" comes up with a totally different print.

I'm definitely looking at electrum.org.

When I actually try to decrypt the sig file with the installers, I always get

"Kleopatra: COuld not open file <> for reading: input/output error (218136625)"

I'm getting this result from like 3 versions of Kleopatra including the latest.

What in the world am I doing wrong?
1571793049
Hero Member
*
Offline Offline

Posts: 1571793049

View Profile Personal Message (Offline)

Ignore
1571793049
Reply with quote  #2

1571793049
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1571793049
Hero Member
*
Offline Offline

Posts: 1571793049

View Profile Personal Message (Offline)

Ignore
1571793049
Reply with quote  #2

1571793049
Report to moderator
1571793049
Hero Member
*
Offline Offline

Posts: 1571793049

View Profile Personal Message (Offline)

Ignore
1571793049
Reply with quote  #2

1571793049
Report to moderator
jackg
Copper Member
Legendary
*
Online Online

Activity: 1526
Merit: 1323


https://bit.ly/2FR9nyn - free python tutorials


View Profile
March 15, 2019, 07:41:12 PM
 #2

Assuming you mean the main page, one of those links takes me here: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc

I think that's right?

sedate
Newbie
*
Offline Offline

Activity: 5
Merit: 2


View Profile
March 15, 2019, 07:46:36 PM
Merited by LoyceV (1)
 #3

Ya that one. 

C&P into notepad and save as .asc, import.  Right?

Import that key and it comes up as "Animazing@gmail.com" signed 1/15/2013 with the wrong fingerprint.

Somewhich way the ThomasV key with the fingerprint from here:

https://www.youtube.com/watch?v=hjYCXOyDy7Y

Also got imported.

But regardless nothing will decode or verify everything returns this i/o error either a generic one or with this code: 218136625

I've tried this on three different computers now on three versions of kleopatra.  I feel like i'm taking crazy pills.
DireWolfM14
Hero Member
*****
Online Online

Activity: 546
Merit: 797



View Profile WWW
March 15, 2019, 08:01:38 PM
Merited by vapourminer (1), Lucius (1), nc50lc (1)
 #4

C&P into notepad and save as .asc, import.  Right?

The sig file has to have the exact same name as the executable file with .asc as the final extension.  
So, just like this:
Code:
electrum-3.3.4-setup.exe.asc


Import that key and it comes up as "Animazing@gmail.com" signed 1/15/2013 with the wrong fingerprint.

If you go to the download page on electrum.org, near the top of the page there's link to ThomasV's public key hosted on gnupg.net.
Look for the text "Sources and executables are signed by ThomasV," and click on the link.  It'll take you to this page:
http://keys.gnupg.net/pks/lookup?search=0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6&fingerprint=on&op=index

I've seen Animazing@gmail.com included in ThomasV's public key, so I don't think there's anything wrong there.
sedate
Newbie
*
Offline Offline

Activity: 5
Merit: 2


View Profile
March 15, 2019, 08:13:59 PM
 #5

Okay okay I swear I'm not trolling ->

If I am my desktop and point Chrome (desktop PC, not really secure, no BTC here) at that keys.gnupg.net link I get the right info with the ThomasV public key.

If I point my laptop (brand new clean laptop, where I'm trying to install electrum) at that site, I get shunted to something called analytics.sumptuouscapital.com with a plain generic login page and a link to a web analytics company called "matomo"

http://keys.gnupg.net/pks/lookup?search=0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6&fingerprint=on&op=index

I know this is the right page but it will seriously *not* come up..  Huh Huh
sedate
Newbie
*
Offline Offline

Activity: 5
Merit: 2


View Profile
March 15, 2019, 08:35:16 PM
 #6

Okay so I dunno what but if I use a different browser I don't get shunted to the analytics page..

Thanks for the info about the precise file name I didn't realize that.

Any idea what i/o error 218136625 means?
jackg
Copper Member
Legendary
*
Online Online

Activity: 1526
Merit: 1323


https://bit.ly/2FR9nyn - free python tutorials


View Profile
March 15, 2019, 08:39:43 PM
 #7

I get this when clicking the ID link? http://keys.gnupg.net/pks/lookup?op=get&search=0x2BD5824B7F9470E6

I should say I haven't verified the signature for electrum as whenever I run it on Windows my AV tells me who signed it (I think it's the AV anyway).

https://www.google.com/amp/s/amp.reddit.com/r/GnuPG/comments/2q73b6/verifying_gnupg_itself/ an issue with the files probably as this seems to suggest an error occurs while someone updates the gpg software and tries to test the signature of the update Grin. One of the reasons I trust hashes more than signatures in this case. I find it more likely that 7zip and other hash processors will be compromised compared to the gpg software (there's more at stake with gpg).

sedate
Newbie
*
Offline Offline

Activity: 5
Merit: 2


View Profile
March 15, 2019, 09:04:08 PM
 #8

Thanks I'm not sure why that one web browser keeps getting shunted to that page but I got the right key imported.


I should say I haven't verified the signature for electrum as whenever I run it on Windows my AV tells me who signed it (I think it's the AV anyway).


LOL.  Honestly I never thought I'd be so paranoid about installing anything before.  I'm *not* naive when it comes to computer security I can imagine *so many* attack vectors I'm scared of everything.

Not sure realistic some of them are, but BTC is a ripe, ripe target ya know.
HCP
Legendary
*
Offline Offline

Activity: 1120
Merit: 1838

<insert witty quote here>


View Profile
March 15, 2019, 09:17:15 PM
 #9

Yeah, trying to follow the http ://keys.gnupg.net... link also redirects me to the https ://analytics.sumptuouscapital.com... page ??!? Shocked Huh

Very strange... I suspect some sort of DNS issue somewhere along the line... possibly because my local router is configured to use OpenDNS? Huh

Just FYI, out of all the GPG keyservers that are listed when you search "gpg keyserver" on Google, the most reliable I've found seems to be: https://keyserver.ubuntu.com/ Most of the others return errors Undecided


G3nijalac
Member
**
Offline Offline

Activity: 87
Merit: 10


View Profile
March 15, 2019, 11:06:18 PM
 #10

#1 make sure you are at https://electrum.org type it in manualy

#2 make sure that when saving the signature to switch to save as All File Types and if the name is ending in .txt erase it before saving
     once saved it should have a blue lock icon and it will work then

#3 try and use ThomasV signature if possible for your OS/version to be extra safe. otherwise make damn sure that the sig attached is in official safe list
     before checking it.

Abdussamad
Legendary
*
Offline Offline

Activity: 2254
Merit: 1200



View Profile WWW
March 16, 2019, 07:20:09 AM
 #11

Animazing was a developer who contributed to electrum in the past. He used to sign the windows releases.

Here's a guide to verifying the sig with kleo.

Don't copy paste the signature or the public keys. Instead use your browser's save file function.

zetzetzet
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
March 20, 2019, 03:43:47 PM
 #12

Hi!
I have just started to upgrade Electrum wallet.

1. Why sign is other? Why ThomasV's key in 3.3.4 is different than in 3.3.3?
Was https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
Now is https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
Wtf?

2. Who is "animazing"?

3. Is Electrum.org hacked?
I don't trust Electrum anymore!

https://i.imgur.com/0WMpwk7.png

4. Anybody know, what is going on?
TryNinja
Legendary
*
Offline Offline

Activity: 1162
Merit: 1568



View Profile
March 20, 2019, 03:46:45 PM
 #13

-snip-
Did you even read the thread?

I know you are that gut which *for some reason* simply hates signatures and loves hashes, but can you stop with the trolling? That’s just pure ignorance.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!