Electrum Authentication through GPG keychain

[valentin.raich]

hi, can anybody help me to get the right Electrum's public key I need to enter in the GPG keychain - so that I can verify my electrums download in a second step. What I found so far is from 2017 - its the Thomas Voegtlins public key "0x2bd5824b7f9470e6" - but when I am entering this in the PGP's "lookup for keys" search it doesnt find it.
Thanks a lot
Valentin

[TryNinja]

You can get his key from the Electrum's github repo: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

(Double check this is the real repo, do not trust me. )

[OcTradism]

How to Safely Download and Verify Electrum. You can read it and practice. In that thread, there are some links to official sources of Electrum wallet but as Try Ninja advised, don't trust him, trust me nor DireWolf. Check and verify.

[o_e_l_e_o]

Electrum's public key

Electrum doesn't have a public key. ThomasV, as the lead developer of Electrum, signs the releases using his public key.

but when I am entering this in the PGP's "lookup for keys" search it doesnt find it.

What directory are you searching in?

I can also verify the key you have shared is correct, but as above, you shouldn't trust random people on the internet. You can also find his key at the following places:

http://keys.gnupg.net/pks/lookup?search=0x2bd5824b7f9470e6&fingerprint=on&op=vindex
https://pgp.key-server.io/pks/lookup?search=0x2bd5824b7f9470e6&fingerprint=on&op=vindex

[valentin.raich]

Thanks guys so far - I took everything (ThomasV signature, the download itself and the signature of the download) directly from electrum.org but in the end GPG says "Untrusted signature - This signature is not to be trusted"
I must say - I am really not too familiar with this computer stuff - any ideas? 
Thank you

[TryNinja]

but in the end GPG says "Untrusted signature - This signature is not to be trusted"

This just means that you haven't manually set the key you imported as "trusted". The signature matches, which is the important part, but... what does that mean? What if you used a random/fake key and it matched? The software doesn't know if the key is really from ThomasV, so that's why they give this warning.

I think you can set it as trusted by right clicking it and choosing whatever option is there (depends on the software you are using).

[valentin.raich]

...I set it to trusted manually - I understand the point you are mentioning - about trust - at one point in the chain you need to trust...which is probably not justified
so if I got you right - the authentication process is ok so far - just wonder why it says not trustworthy even I set it to "trusted" before

[valentin.raich]

...I see...now I set the option "Ownertrust" from "full" to "ultimate" and now it says "Absolute trusted signature"
but I got your important point that actually its just trustworthy  if I get the signature from ThomasV personally
Thanks a lot