How verify Electrum signature

[Darooghe]

Hello

I downloaded "Kleopatra".
Then i copy "public key" from https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc.
Then i pasted all of them into "Kleopatra" by "certificate import" button:
I got this:



Then i downloaded "electrum-3.3.4-setup.exe" & "electrum-3.3.4-setup.exe.asc" from https://electrum.org/#download
Then i put both of them in the same folder
Then i click on "decrypt/verify" button and choose "electrum-3.3.4-setup.exe.asc".
Finally i got this:
The data could not be verified



Is everything OK or i did something wrong?
Is the signature matches with the files?

I did also the above instruction with "Electron cash" and got the same thing.

[TryNinja]

This just means that you haven't manually trusted ThomasV's key. The signatures are matching.

Right-click on ThomasV's name and select "Certificate"; Follow the quick steps and his "User-ID" will change from "not certified" to "certified";
Then, do the verification again and it will show a green message.

[HCP]

Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:

gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature

Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.



For the record, if the signature was "invalid", Kleopatra would warn you with a big red highlight like this:


"Invalid Signature"... and "Bad Signature"... and in the "show audit log" (or on the commandline), you'd see:

gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]

[igor72]

Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:

gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature

Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.

This is not completely accurate. Two conditions must be met:
1. Absence of “Bad Signature” or “Invalid Signature”
AND
2. The key must match the 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 (or 2BD5 824B 7F94 70E6).

Fake signature example:

[N00B4L]

click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see:

gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

First time verifying and I think i followed the instructions correctly, double checking that this output is OK.

There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:

gpg: Signature made 02/13/19 16:08:30 Central Standard Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <thomasv1@gmx.de>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

[TryNinja]

First time verifying and I think i followed the instructions correctly, double checking that this output is OK.

There is no "Bad/Invalid" and it says "good signature" and the fingerprint matches so I am guessing the difference is trivial, but i get an audit log without 2 of Thomas V's aliases:

gpg: Signature made 02/13/19 16:08:30 Central Standard Time
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
~this line/alias is missing/different~
gpg: Good signature from "ThomasV <thomasv1@gmx.de>" [unknown]
~this line/alias is missing~
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

The primary key fingerprint matches and the signature returned “good”, so that’s what matters. You are fine.

[N00B4L]

Thank you.