Problem verifying electrum

[highfarmer]

I am on mac and I am trying to verifying Electrum, but without any success unfortunately.

I have downloaded and installed the gpg suite. I have added Thomas Voegtlin to the "collection" and I have also been downloaded the .dmg (program itself) and the .asc-file (the code from the site).

First I opened the .asc-file and a messages comes up withing the gpg-program stating that "the signature does not match this message. You should not trust this message, because it was manipulated..."

When I then right click on the .dmd-file and choose "services" > "OpenPGP: Verify Signature of File" it just says "no signatures found".

What am I doing wrong here? 

[nc50lc]

Where did you downloaded electrum?

The name of asc file should be the same as the dmg file including the extension except it has ".asc" as 'the' extension.
Example: the files should be named as electrum-4.0.9.dmg and electrum-4.0.9.dmg.asc, and should be in the same directory/folder.

Anyways, you can review this Guide by DireWolfM14:

• [GUIDE] How to Safely Download and Verify Electrum [Guide] - Install on Mac
• [GUIDE] How to Safely Download and Verify Electrum [Guide] - Import on Mac
• [GUIDE] How to Safely Download and Verify Electrum [Guide] - Verify on Mac

[Maus0728]

When I then right click on the .dmd-file and choose "services" > "OpenPGP: Verify Signature of File" it just says "no signatures found".

I think you forgot to import the developer's PGP public key that can be found on the [1] https://electrum.org/#download. Without it, you cannot verify the signature of your electrum.

[1] https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
Alternatively, you can also follow the guide for MAC.

[2] https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/

[ranochigo]

I think you forgot to import the developer's PGP public key that can be found on the [1] https://electrum.org/#download. Without it, you cannot verify the signature of your electrum.

[1] https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc

The signature isn't verified, OP has imported the public key before. It should still show the RSA key without knowledge of the PGP key, instead of a signature mismatch.

As said, changing the file extension to something other than .asc can make it unusable for validation. Make sure that the file name of your .asc matches your .dmg as well.

[highfarmer]

Thank you for the answers!

It seemed that the name of the electrum itself and the asc-file was not the same since I had downloaded a couple of dubplates and since them the name was slightly change. But when I renamed them to the name "electrum-4.0.9.dmg" and "electrum-4.0.9.dmg.asc" and right-click on the dmd itself and "services" > "OpenPGP: Verify Signature of File" it says the following:

Thomas Voegtlin <thomasv@electrum.org>
6694 D8DE 8BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

The signature of this message is valid but utrusted. That means it has not been tampered with. It is untrusted though, because the key has not yet been verified.


So, is this enough? Should I do something more before I can fully trust this is a legit version?

[ranochigo]

The signature of this message is valid but utrusted. That means it has not been tampered with. It is untrusted though, because the key has not yet been verified.

Yeah, you'll have to certify it somehow. Not a problem though.

So, is this enough? Should I do something more before I can fully trust this is a legit version?

Unless the PGP key has been compromised, which is quite unlikely, you can trust that this was signed by ThomasV. The fingerprint that I've imported matches yours, 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6. If you trust that the public key is accurate, then you've downloaded the legit version.

[nc50lc]

The signature of this message is valid but utrusted. That means it has not been tampered with. It is untrusted though, because the key has not yet been verified.

You must have set the "trust level" or "owner trust" to a lower value or default, it needs a higher trust level to remove that warning.
The info on how to set it is in the second link to DireWolfM14's post I've provided in my previous post (the last step for "Import on Mac OS").