Bitcoin Forum
March 04, 2021, 07:05:17 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: How do you check fingerprint?  (Read 106 times)
9thsky
Member
**
Offline Offline

Activity: 128
Merit: 35


View Profile
November 10, 2020, 05:25:41 AM
Last edit: November 10, 2020, 06:24:17 AM by 9thsky
Merited by ETFbitcoin (2), o_e_l_e_o (2), Heisenberg_Hunter (1)
 #1

First of all, let me just say what an absolute lousy so called tutorial Electrum has on verifying signature. It's already difficult enough for the average person understanding and owning bitcoin and these guys don't make it any better with their one paragraph, horribly written "guide".

It says "When you import a key, you should check its fingerprint using independent sources, such has here or use the Web of Trust." the "here" links you to a 2 hour long seminar on YouTube and the "web of trust" is a Wikipedia link. Like really??? Can you be any lazier???

I had to search for over an hour on Google until I found a proper guide, which was here. But now that last sentence in their 3-sentence-guide threw a wrench into the works.

*How* do you check the fingerprint using independent sources?
I'm using Linux.

>This< is what I've done so far. What are the steps of what I should do nex?
Thanks all!
1614841517
Hero Member
*
Offline Offline

Posts: 1614841517

View Profile Personal Message (Offline)

Ignore
1614841517
Reply with quote  #2

1614841517
Report to moderator
1614841517
Hero Member
*
Offline Offline

Posts: 1614841517

View Profile Personal Message (Offline)

Ignore
1614841517
Reply with quote  #2

1614841517
Report to moderator
1614841517
Hero Member
*
Offline Offline

Posts: 1614841517

View Profile Personal Message (Offline)

Ignore
1614841517
Reply with quote  #2

1614841517
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1614841517
Hero Member
*
Offline Offline

Posts: 1614841517

View Profile Personal Message (Offline)

Ignore
1614841517
Reply with quote  #2

1614841517
Report to moderator
1614841517
Hero Member
*
Offline Offline

Posts: 1614841517

View Profile Personal Message (Offline)

Ignore
1614841517
Reply with quote  #2

1614841517
Report to moderator
1614841517
Hero Member
*
Offline Offline

Posts: 1614841517

View Profile Personal Message (Offline)

Ignore
1614841517
Reply with quote  #2

1614841517
Report to moderator
pooya87
Legendary
*
Online Online

Activity: 2282
Merit: 3602


Remember tonight for it's the beginning of forever


View Profile
November 10, 2020, 05:43:39 AM
 #2

you can just read the first 2 paragraphs on Wikipedia page on Web of Trust (https://en.wikipedia.org/wiki/Web_of_trust) to learn what it means. essentially it comes down to you NOT just open the wallet website and get the public key from there (Electrum or any other software) which would be the same place you downloaded the binaries from.
you can already check that the pubkey hash is already posted in multiple places and is 0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 (eg. on electrum docs). you can also check the Electrum GitHub repository to get the same public key (https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc).
also if you have a friend whom you trust and have their PGP pubkey you can ask them to sign Electrum's pubkey with their key and send you the signature so that you can verify if you have the correct Electrum PGP pubkey.

9thsky
Member
**
Offline Offline

Activity: 128
Merit: 35


View Profile
November 10, 2020, 06:00:24 AM
 #3

you can just read the first 2 paragraphs on Wikipedia page on Web of Trust (https://en.wikipedia.org/wiki/Web_of_trust) to learn what it means. essentially it comes down to you NOT just open the wallet website and get the public key from there (Electrum or any other software) which would be the same place you downloaded the binaries from.
you can already check that the pubkey hash is already posted in multiple places and is 0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 (eg. on electrum docs). you can also check the Electrum GitHub repository to get the same public key (https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc).
also if you have a friend whom you trust and have their PGP pubkey you can ask them to sign Electrum's pubkey with their key and send you the signature so that you can verify if you have the correct Electrum PGP pubkey.

See, that's where the problem lays. You're talking to me from a frame of someone who knows about this stuff and thus unintentionally assume I know what 1) pubkey 2) PGP 3) all the other stuff means. 😔
HCP
Legendary
*
Offline Offline

Activity: 1624
Merit: 3342

<insert witty quote here>


View Profile
November 10, 2020, 06:43:16 AM
Merited by ETFbitcoin (1)
 #4

You can also have a read of the guide here: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

It includes a link to proof of the key fingerprint (as shown in a Youtube video of a slideshow presentation by ThomasV)

So, unless we're all part of a giant conspiracy to defraud the world, you can be fairly assured that ThomasV's PGP publickey fingerprint is:
Code:
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6


>This< is what I've done so far. What are the steps of what I should do nex?
If you did all that, and got the "green message" in Kleopatra or the "Good Signature" message from GPG when verifying the Electrum download, and you can see the fingerprint shown is either:
Code: (full fingerprint)
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
or
Code: (short fingerprint)
2BD5824B7F9470E6

Then you're good to go... and can be assured that the digital signature on the Electrum binary/installer that you downloaded is "OK" Smiley

o_e_l_e_o
Legendary
*
Offline Offline

Activity: 1218
Merit: 5791


Wear a mask, slow the spread


View Profile
November 10, 2020, 11:38:20 AM
Merited by pooya87 (1), ETFbitcoin (1)
 #5

See, that's where the problem lays. You're talking to me from a frame of someone who knows about this stuff and thus unintentionally assume I know what 1) pubkey 2) PGP 3) all the other stuff means. 😔
PGP stands for Pretty Good Privacy. It is a system for encrypting and authenticating data.

With PGP, individual users can create key pairs - a private key and a public key. The combination of a private key and some data allows a user to create a signature unique to that data. The combination of that data, the signature, and the original user's public key, allows other users to verify that the signature was created by the owner of the private key.

When the latest version of Electrum is released, the lead developer ThomasV can use his private key to sign it and produce a signature. You, as the end user, then download Electrum and the signature file, and by using his public key can confirm that it was indeed him who signed it.

It is important, therefore, to ensure you are using his real public key, so you know it was definitely him (and not some malicious third party) who produced the wallet software and signature file.

A fingerprint is simply a short string of characters which is unique to a much longer public key, just like a real life fingerprint is a small object which is unique to a much larger object (a person).

Here is another link to ThomasV's PGP key: http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0x2BD5824B7F9470E6

You'll see the same fingerprint at the top of the page as both pooya87 and HCP have quoted. If you click on the hyperlink above the fingerprint, it will take you to the full PGP public key.

9thsky
Member
**
Offline Offline

Activity: 128
Merit: 35


View Profile
November 10, 2020, 03:47:04 PM
 #6

you can...snip

You can also...snip


This is a video of what I've done. And
this is what I'd like to know how to do.
o_e_l_e_o
Legendary
*
Offline Offline

Activity: 1218
Merit: 5791


Wear a mask, slow the spread


View Profile
November 10, 2020, 04:09:40 PM
Merited by ETFbitcoin (1), 9thsky (1)
 #7

So what you have done in that video is correct. The Electrum file you download has been correctly signed with the key 6694 D8DE ... 70E6 belonging to Thomas Voegtlin. You have already checked the fingerprint using independent sources, as the key you have imported matches the key that has been provided in this thread and on various links in this thread from multiple independent sources. That copy of Electrum you have downloaded is safe to install and run.

The reason that it says "This key is not certified with a trusted signature!" is because you haven't signed that you trust that key. You can do this using gpg --edit-key and then the command trust. You can read more about this process here: https://www.gnupg.org/gph/en/manual/x334.html. The web of trust would simply be rather you signing ThomasV's key directly, you would sign my key (for example) to say you trust me, and since I have signed ThomasV's key you would therefore indirectly trust ThomasV's key.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!