Electrum verification

[godfreybiz]

I am trying to verify Electrum for Linux downloaded from the Electrum website and got the following:

sudo gpg --verify Electrum-3.3.4.tar.gz.asc
gpg: WARNING: unsafe ownership on homedir '/home/me/.gnupg'
gpg: assuming signed data in 'Electrum-3.3.4.tar.gz'
gpg: Signature made Wed 13 Feb 2019 22:08:29 GMT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

What do I do?

[TryNinja]

Everything is right.

It says "This key is not certified with a trusted signature!" because you haven't manually trusted ThomasV's key. But if you imported it right, it matches with the signature of the file you downloaded.

[HCP]

Further to this... the important part is this:

gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]

That means that the signature is OK


If the signature wasn't valid (ie. fake file)... you'd see something like this:

gpg: Signature made Wed 13 Feb 2019 22:08:29 GMT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]

[bassmaster]

Yep, everything is correct with this.
Disregard the "warning" -- gpg has a terrible UI.

[HCP]

Also, as someone pointed out in another thread... The key fingerprint needs to be ThomasV's... And should show as:

6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
Or
2BD5 824B 7F94 70E6
Or
7F94 70E6

That indicates that you have imported the correct public key belonging to ThomasV

[bassmaster]

6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
Or
2BD5 824B 7F94 70E6
Or
7F94 70E6

That indicates that you have imported the correct public key belonging to ThomasV

The last option is not secure.  32 bit key ids can easily be faked and have been many times.
Use the full SHA1 fingerprint to verify.