Electrum Mac - Verify signature on electrum DMG - Not trusted -

[cr256]

Hi All. Im new to everything bitcoin. This is my first post.

I am trying to install electrum on my mac desktop. Downloaded GPG keychain, electrum dmg and electrum asc files.

Installed thomas V's key on GPG using key from here: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/

When I attempt to verify signature of the electrum dmg file, it says 'untrusted file' 'signature not to be trusted'

Ive tried many times, downloading the files form electrum.org, reinstalling thomas v's key in GPG, but always the same response when i try to verify.

Can anyone offer any assistance? From what i see, the electrum.org dmg file is corrupted, but there's probably something I'm not doing right.

Thanks

Cor

[Jating]

I'm using a Mac myself but I didn't encounter any problem whatsoever. Maybe this thread can help you out.

[GUIDE] How to Safely Download and Verify Electrum [Guide].
How to verify your Electrum [Windows, Linux, Mac].

Or if you can't really find the answer, maybe you can go to this board and ask the question there: https://bitcointalk.org/index.php?board=98.0

[cr256]

Thanks both of you. One last try on this thread. I used home-brew and got this message:

$ gpg --verify electrum-4.0.4.dmg.asc electrum-4.0.4.dmg
gpg: Signature made Fri 16 Oct 05:21:39 2020 AEDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: key 2BD5824B7F9470E6: no user ID
gpg: Total number processed: 1
gpg: Can't check signature: No public key



When I use GPG Keychain it says - Untrusted signature. Thomas V ..... This signature is not to be trusted
It doesnt say Bad, or Error, just that is is Thomas V and not to be trusted.


So from another thread in this forum it says:

usually people don't add the key to their list of trusted keys so the verification result always has a warning that confuses most people. it is along the line of saying something like this:
Code:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
sometimes people confuse this with the signature not being valid whereas all it says is that they key is not saved in their local database as a trusted key.


Does this mean it is ok?

[Husna QA]

-snip-
When I attempt to verify signature of the electrum dmg file, it says 'untrusted file' 'signature not to be trusted'

Ive tried many times, downloading the files form electrum.org, reinstalling thomas v's key in GPG, but always the same response when i try to verify.
-snip-

That's because you haven't changed the Owner trust Thomas Voegtlin setting on the GPG Keychain.
Here I try to provide a guide:

• Open the GPG Keychain application
• Open ThomasV's PGP Public Key: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
  (You can see the link on https://electrum.org/#download)
• Select all the text, then copy.
• Switch to GPG Keychain, then usually a message of choice will appear to import the key.
  
  
• After import the key, double-click the Thomas Voegtlin key. In the Owner Trust column, select Full or Ultimate:
  
  

The next process: verifying Electrum and its Signatures

• Make sure to download Electrum from the official website: https://electrum.org/#download
• Save the Electrum File and the appropriate Signature in the same folder, for example,
  Electrum for mac: https://download.electrum.org/4.0.4/electrum-4.0.4.dmg
  Signature: https://download.electrum.org/4.0.4/electrum-4.0.4.dmg.asc
• Right-click on Electrum software, choose Services - Open PGP: Verify Signature of File:
  
  
• If it is true, then you will get a message like the following:
  
  

[MusaMohamed]

Verifications (with signature and documents).

On Electrum.org website and its page for documentation https://electrum.org/#documentation, they emphasize there are official documentation and unofficial guide:

Documentation
    Official documentation: electrum.readthedocs.io
    Unofficial guide: bitcoinelectrum.com

Bitzuma.com and that article is unofficial guide: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/. It was updated on Updated November 28th, 2017 (3 years ago) and Electrum wallet released its new version 4.0.4.

If you get technical troubles with Electrum wallet, you can create topic in Electrum board.

[Husna QA]

Verifications (with signature and documents).

On Electrum.org website and its page for documentation https://electrum.org/#documentation, they emphasize there are official documentation and unofficial guide:

Documentation
    Official documentation: electrum.readthedocs.io
    Unofficial guide: bitcoinelectrum.com

Bitzuma.com and that article is unofficial guide: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/. It was updated on Updated November 28th, 2017 (3 years ago) and Electrum wallet released its new version 4.0.4.

If you get technical troubles with Electrum wallet, you can create topic in Electrum board.

I see that the tutorial on bitzuma.com is still relevant even the Thomas Voegtlin Key ID (0x2bd5824b7f9470e6) is still the same as the one here: https://electrum.readthedocs.io/en/latest/gpg-check.html (6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6);
Just replace the sample Electrum installer and signature with the latest Electrum installer and signature.

By the way, the documents at electrum.readthedocs.io, especially, in this case, https://electrum.readthedocs.io/en/latest/gpg-check.html, are also old documents. If you click the Edit on GitHub link in the top right corner, you will find https://github.com/spesmilo/electrum-docs/blob/master/gpg-check.rst (Latest commit dc454e4 on Apr 11, 2019).

[odolvlobo]

-snip-
When I attempt to verify signature of the electrum dmg file, it says 'untrusted file' 'signature not to be trusted'

Ive tried many times, downloading the files form electrum.org, reinstalling thomas v's key in GPG, but always the same response when i try to verify.
-snip-

That's because you haven't changed the Owner trust Thomas Voegtlin setting on the GPG Keychain.
Here I try to provide a guide:
...
After import the key, double-click the Thomas Voegtlin key. In the Owner Trust column, select Full or Ultimate:

Set the trust to Full. Ultimate is only for your own keys. Full is for other keys that have been proven to you.

Trust level explanation: https://gpgtools.tenderapp.com/kb/faq/what-is-ownertrust-trust-levels-explained

[cr256]

Hi again.

I seem to have done it, thanks to everyone who helped.


From here: https://github.com/spesmilo/electrum-docs/blob/master/gpg-check.rst

Verify GPG signature

Run the following command from the same directory you saved the files replacing <electrum file> with the one actually downloaded:

gpg --verify <electrum file>.asc <electrum file>
The message should say:

Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
and

Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
You can ignore this:

WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
as it simply means you have not established a web of trust with other GPG users




I did as it said, using terminal, and the response was:



$ gpg --verify electrum-4.0.4.dmg.asc electrum-4.0.4.dmg
gpg: Signature made Fri 16 Oct 05:21:39 2020 AEDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


So I take that as it is a trusted signature.

Thanks again. Hope this thread helps someone else having trouble.

[Husna QA]

Set the trust to Full. Ultimate is only for your own keys. Full is for other keys that have been proven to you.

Trust level explanation: https://gpgtools.tenderapp.com/kb/faq/what-is-ownertrust-trust-levels-explained

Thank you for the additional information; Previously, I also suggested another option to set Ownertrust to Full.
Even without changing the settings on Ownertrust, it doesn't matter as long as the Electrum Application matches the original signature of the Electrum developer (Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>).

You can ignore this:

Code:

WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

as it simply means you have not established a web of trust with other GPG users