Cannot verify GPG Electrum-4.1.5 No signatures found

[FibonacciTrader]

I installed GPG Keychain on macOS Big Sur, imported both Thomas Voegtlin's and SomberNight's public keys, and downloaded Electrum-4.1.5 along with ThomasV's and SomberNight's release keys into the Downloads folder. When I try to "Verify signature of file" for electrum-4.1.5.dmg, the error message says, "No signatures found." How to fix this?

[1715140818]

1715140818

[1715140818]

1715140818

[1715140818]

1715140818

[1715140818]

1715140818

[o_e_l_e_o]

and downloaded Electrum-4.1.5 along with ThomasV's and SomberNight's release keys into the Downloads folder.

You don't want to download their keys in to your downloads folder - you want to download the signatures they produced using their keys. The keys should be imported in to GPG Keychain, but it sounds like you've already achieved that step. Download the appropriate signature files (.asc files) from here - https://electrum.org/#download - and try again.

[BitcoinGirl.Club]

I installed GPG Keychain on macOS Big Sur, imported both Thomas Voegtlin's and SomberNight's public keys, and downloaded Electrum-4.1.5 along with ThomasV's and SomberNight's release keys into the Downloads folder. When I try to "Verify signature of file" for electrum-4.1.5.dmg, the error message says, "No signatures found." How to fix this?

Assuming all the files were in the same folder, did you create a key for yourself to verify against it? I am not a mac user so it's hard for me to understand how it works in mac machine. But in windows. You download Electrum, download the signature for the same version. Have them in the same directory. Then verify it against your own key.

[o_e_l_e_o]

You download Electrum, download the signature for the same version. Have them in the same directory. Then verify it against your own key.

No, you don't verify Electrum or its signatures against your own key. The only reason you would need to interact with your own key is if you wanted to sign ThomasV's or SomberNight's key with your own to tell your GPG software that these keys are trusted. This step is not necessary. If you don't do this step, then when you verify the Electrum download against ThomasV's or SomberNight's key using GPG Keychain, it will simply tell you "undefined trust", because your GPG software does not know if you trust ThomasV's key. It will still return a valid signature check.

[BitcoinGirl.Club]

No, you don't verify Electrum or its signatures against your own key. The only reason you would need to interact with your own key is if you wanted to sign ThomasV's or SomberNight's key with your own to tell your GPG software that these keys are trusted. This step is not necessary. If you don't do this step, then when you verify the Electrum download against ThomasV's or SomberNight's key using GPG Keychain, it will simply tell you "undefined trust", because your GPG software does not know if you trust ThomasV's key. It will still return a valid signature check.

That's exactly I wanted to express but somehow I wrote a totally different story. I should have been careful not to confuse the reader. Yes you are correct.

I download ThomasV's, add it in my trusted list and then do the rest.

[HCP]

How to fix this?

Have you tried followed the guide on Bitzuma that shows how to verify the Electrum binaries on MacOS: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/

I'm not a MacOS user, but the guide seems quite comprehensive and seems to cover all the steps.

[DireWolfM14]

I wonder if the OP is having trouble because of the new policy of providing signatures from multiple developers.  Just to reiterate the issue; the signature files' names differ from the binary file's name, which prevents GIU GPG applications (with default settings) from reading the binary file when one double-clicks on a signature file.  GUI applications expect the signature file's name to be the same as the binary file's name, with the addition of .asc extension.  

For example;

Binary file name: electrum-4.1.5.dmg
Signature file name: electrum-4.1.5.dmg.asc

Currently if you download the binary and the signature files you'll have the following file names:

The binary file name: electrum-4.1.5.dmg
ThomasV's signature file name: electrum-4.1.5.dmg.ThomasV.asc
SomberNight's signature file name: electrum-4.1.5.dmg.sombernight_releasekey.asc
Emzy's  signature file name: electrum-4.1.5.dmg.Emzy.asc

I recently learned a trick that makes it a lot easier to verify all the signatures at once.  All you have to do is save all the signatures in one text file, and save it with the typical naming standard, i.e. as in the example above; electrum-4.1.5.dmg.asc.

For example:

Code:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEZpTY3nvo7lYxvtlQK9WCS3+UcOYFAmD1wuMACgkQK9WCS3+U
cOZ8lg/8C4E2VrrneIJ0PvCaPvB7wj0hBg2Spfqsgr43vyeQm52KQSiQ/0TcQUls
7j7pu5rklVii+NRXEnHh9T9A4m9n2SEgw53n+wQrEuK8VQWerzfei8jQ5QR6XkEd
EGbsE5YT4FVvvHdyuo2gc92YSG81GwDXHlvGF91ipSLe4Jmg7vQ+w/ccPebvnA2Z
ccqff3iTw8TWJ8PVD+Lq7LHZPuZSZxGftihxZIfMoSWt1xH7oslIM7ygi2MVfDpi
BtfQF4diYyHBjMEE/g8BTnUfldTuP+ODmsNhw49W/QRTuiDWkb5j5HpLXhJ/+inA
vwwwbKaEqXM4L62/VSvIvC18gWXAR/CLV56ibw0nQgKvdWgsf+UAiVlvSk82QHoJ
RWvJG4IwI7jbEkA+LJ4yGCIZ7hTZ018Gp0i3uNjfY2+oe5GecgbyPTbdPTEU/a/v
UwM/gNX9BycbVMDYNeqWor10gTUrreKFLyYu8V3IsMxjMqPfWSgjGzln6it4UY8i
SSN/XTh/Ol4U+6TVgqDsbRwWOCyomLgltjWiv+osYKfF4xt99GWiPaN4H3NG+7et
BotndWrCibJqEFkGlml9ilJUYlBsbQuGHF0vhiJcYRZTumYJU0ABwbQQ/HboM2jT
7CDdNAheFpE+xz2F3JSeXrWBHnnYP3k/bVMJwSmSgrvxVRzPpfM=
=K00C
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEDu3P1cr7RZBnNJsjyp7uxD35EdwFAmD10G8ACgkQyp7uxD35
EdyZEA/9HI4bbfTDsRSRA4Q6PIq1SLuwtf/5eYkCAb9R13X0bcJa50Q8+je2v7JF
ZlAMJT9ueTKOpC043CLXmd8m+pD3qnIOHZXLbyIHmN6WEIHUbtp9ixLOlhMB6GXe
FfD8iVEDNIzyOr1TaiXnSTPatVdHJ3+pG2BPO3rbnwaeLod8FNrhrnUEfYs3ESI2
L36B5gnT5ua8Mj3SVAWGkNbioHt16w9txSjjmYGc0FQYMUsfCz5PmQyco+PUtHrL
1WuKuTQ5Vl765nZD68hPTeKyIE0OqI0htnqIyJ8ImEOFesXicqgQOQ16uhLCmwP4
Vdd/Fiz+dT+16FXnQCQsz13LDIM6U6ijJ79sqMeTdMn5ADX57Iur1B4GDXhTlCW/
halXPQQRWlOZF/SkzSd2R7M8A/JLn+1Orgqy/Fv5BAkeGnuMlkGY7LA6lUkETRYe
5klhtauC5CihKdP7leOKkM8QR5RIfbVJqUTGZaOstP8xGJTKXIkmpeUn++PvJVB0
+0X/G3gaf9J/jWMsLk/MjKIkjszOVz/KWOtfi+Mr4Zjuq9Ju+xQAK7XAtUxt5a5l
HMrX1kDCpsHIe9jg2WOUp6kh7AJAOStwYBAYQLAUz/y6pDjZgeg6bNSlMQM/bpMU
ZMWv+pMqE7YuapJJnu58ubhjj3qTfJU/pXLIUG5B3P/XT1vPOQo=
=gGIz
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEY32x4jNw+Er/iMzgMVI0fQfaYnwFAmD5aVUACgkQMVI0fQfa
YnxJZw//T3F6UwwhZsePQw822ACDUyeEuq5IcKF7m+9/4HlaG8TmUPDS5CXK0Jbl
SX5uyhdevYneCxf+uHQUwKTvaaOU6f07U+IgtyzXjbqZQ2YUNb/eRZLKq3auG9bO
cBG1dfoamNzrsvvLCQvFEYeieRik2Kg3mCGMCZuaaqtQT8zQv1aGRE63T0Dq5I9v
NWOvbFMsmF2XDSiOMesIP6yxgYlKJG+KJ/Mbj6h2ZJ3v9bE68XrjnrWmz75btQ67
qlHvcP7+RU8eQb1+Brk3yYdm9vGKyhrPBFJb8wmqcRfE5f+tAR2Fvdt+78pzygnu
Gj7ZW3tH6egpeweVcIWGMa1YumrecbW9RjgjPyGd6jrJGXtSrcO8URO8GQkMWYel
cu5sJEr6izVGJiouIN+Xszjc2NR2ar2ZfYiWknlN4KI7LdhlhDNGwGwREUeGNQvO
RRZRydLC+42KEIyPLBs9ZI7QP1zt5vvmhwTep9vH2sPCI7ehlkPTLzrEK9Yy/lbz
f7bkwhxB01wtJvJycdnmIz8OMMN0iK9AwZXOMsvFY320kLPgB8iO30AvrXvhO5L4
bFrr/M9G+pNJBd3pyx4G/dTkNUHj90yeKhyiIH37TPO1ERF7GihEyikyv44FXKAz
ZTOEKqEPrkO75dpfaIO2fKHkAQouBReVP1q7JLsKfc51lGdmOy8=
=3nnA
-----END PGP SIGNATURE-----

Now you can double-click the .asc file and your GPG app will verify all the signatures in the file:



Or, you can use the CLI to verify all signatures:

[o_e_l_e_o]

I recently learned a trick that makes it a lot easier to verify all the signatures at once.  All you have to do is save all the signatures in one text file, and save it with the typical naming standard, i.e. as in the example above; electrum-4.1.5.dmg.asc.

Now that is a neat trick. Didn't know that, always just verified the signatures one by one. Why don't the Electrum devs provide a single combined signature .asc file then, alongside the three individual ones?

What happens if my GPG software does not contain all the necessary keys? For example, if I had imported ThomasV's and SomberNight's key, but not Emzy's key, I presume it would just return two valid signatures and one unknown one?

[DireWolfM14]

Why don't the Electrum devs provide a single combined signature .asc file then, alongside the three individual ones?

I don't know, I was thinking of opening a pull request to ask for just that.  In fact, I got the idea from the Bitcoin Core development team, who also started issuing multiple signatures since the latest release.  They issued all the developer's signatures in one file.

What happens if my GPG software does not contain all the necessary keys? For example, if I had imported ThomasV's and SomberNight's key, but not Emzy's key, I presume it would just return two valid signatures and one unknown one?

Good question, I hadn't tried that so I decided to.  You're correct, it returns two good signatures, and one "unavailable certificate" error.  Here's what it looks like in Kleopatra:



And command line:

[FibonacciTrader]

Have you tried followed the guide on Bitzuma that shows how to verify the Electrum binaries on MacOS: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/

I'm not a MacOS user, but the guide seems quite comprehensive and seems to cover all the steps.

Yes, I followed the Bitzuma guide but encountered problems:
1) The Bitzuma guide doesn't say that the lookup key ID may not work due to key server failure sometimes. This happened to me, and I learned the hard way, after much additional time, how to download Thomas V's key file from https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc, import it into the GPG application, and verify the fingerprint.
2) The Bitzuma guide also does not account for the signature files with specific dev's names, as discussed in this thread. These .asc files are not recognized by GPG on macOS and must be renamed into a single file that matches the electrum .dmg file's name, with .asc appended, as @DireWolfM14 so clearly described. This worked to verify the valid signatures for the file.

I sent an email to Bitzuma with this feedback, which will hopefully be incorporated into the guide to save other users' time and headache.

Also great to know we can use CLI with the command 'gpg --verify electrum-4.1.5.dmg.asc'

Thank you, @DireWolfM14! And other folks for your input.

[HCP]

Yeah... this new method of having multiple .asc files has kinda broken pretty much all of the older guides for verifying Electrum

It certainly caused me a few moments of "WTF??!?" when I attempted to do my usual "download .exe, download .asc, right click and select 'verify'" method of verifying the Electrum downloads when the change first happened

Hopefully, they take onboard the idea to just put all the signatures into the one file like the Bitcoin Core team do.

[Coin-Keeper]

I meant to respond on this thread a couple of weeks ago but forgot until now.  Sometimes WE make things way more difficult than they need to be.  Lets say you are old school and only want to rely upon the original "big guy" Thomas' signature alone to verify your downloads.  This is an example and I am not slandering the "cred" of the other devs there.  Using Kleopatra we can still make this very easy.

I just did this again a few minutes ago to make sure nothing has changed in the process.  Download Electrum-4.15 and then Thomas' sig file to your desktop.  As noted in posts above this one you will get a sig file named:

electrum-4.1.5.dmg.ThomasV.asc

The mis-match file names (between download and sig) create an issue for Kleopatra.  Soooooooo easy to fix.  Just rename the sig file to:

electrum-4.1.5.dmg.asc

By simply backspacing .ThomasV off the filename you do NOT change the security of the verification that Kleopatra uses.

100% SECURE way to continue verifying with GPG and one sig file if that is your preference.

As a reminder it is critical that the download file name and sig file name MATCH, except for the .asc addition at the end of the sig file name.   EASY SOLUTION!!

[DireWolfM14]

~

You get the idea from a gpg perspective.  I do, however think it's more secure to check all the signatures available.  There is a chance that one key might get compromised, and the "big guy" makes the big target.  The odds of two getting compromised are quite remote, and three is nearly impossible.  The more the merrier.

[Pmalek]

As noted in posts above this one you will get a sig file named:

electrum-4.1.5.dmg.ThomasV.asc

The mis-match file names (between download and sig) create an issue for Kleopatra.  Soooooooo easy to fix.  Just rename the sig file to:

electrum-4.1.5.dmg.asc

That's how I do it as well. Unless you want to do what DireWolfM14 did by merging all signatures in one file, you can always verify them one by one by downloading each signature file and making sure the names are in the correct format before you start the verification process with Kleopatra.   

[gatsu100]

i use windows 10...how to resolve?

[o_e_l_e_o]

i use windows 10...how to resolve?

You need to import SomberNight's and Emzy's private keys in to Kleopatra. It is giving you a valid signature for their two keys but it does not know if the keys are correct because you haven't imported them like you have with ThomasV's key.

Grab their keys from here (https://github.com/spesmilo/electrum/tree/master/pubkeys) and import them in Kleopatra, then try again.

[gatsu100]

now i have this answer

[o_e_l_e_o]

now i have this answer

Congrats, you have successfully verified your Electrum download with all three keys. You can now safely install and start using it.

The reason it tells you that each key is not certified by you or anybody else is simply because although you have imported these keys in to Kleopatra, you have not yet told Kleopatra you trust these keys, and no one in your web of trust trusts them either. This warning can be safely ignored if you want, or you can now tell Kleopatra that these keys are trusted to remove this warning.

I can confirm that the three keys you have match the three keys I have, and they also match the three keys DireWolfM14 has shown in his screenshots higher up in this thread.

To do this on Kleopatra, you'll first need to create your own PGP key pair using File -> New Key Pair and following the instructions. Once you've done that, you can then right click on any of the three developer's keys and click Certify, and certify their key with your own key. Once you've certified all three keys, verify your Electrum download again and that warning will have disappeared.

[HCP]

now i have this answer
https://ibb.co/xzrCf2d
https://ibb.co/KGZ5jvp

If you click the blue "Mostra il registro di controllo" (show the audit log) link in your 2nd screen shot... you will see the "raw" output of the GPG log.

Here you will see that there are definitely "good signatures" ("buona firma")... something like this:

[gatsu100]

thanks guys now i feel safer