FibonacciTrader (OP)
Newbie
Offline
Activity: 8
Merit: 6
|
I installed GPG Keychain on macOS Big Sur, imported both Thomas Voegtlin's and SomberNight's public keys, and downloaded Electrum-4.1.5 along with ThomasV's and SomberNight's release keys into the Downloads folder. When I try to "Verify signature of file" for electrum-4.1.5.dmg, the error message says, "No signatures found." How to fix this?
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
October 24, 2021, 07:37:37 AM |
|
and downloaded Electrum-4.1.5 along with ThomasV's and SomberNight's release keys into the Downloads folder. You don't want to download their keys in to your downloads folder - you want to download the signatures they produced using their keys. The keys should be imported in to GPG Keychain, but it sounds like you've already achieved that step. Download the appropriate signature files (.asc files) from here - https://electrum.org/#download - and try again.
|
|
|
|
BitcoinGirl.Club
Legendary
Offline
Activity: 2954
Merit: 2783
Bitcoingirl 2 joined us 💓
|
|
October 24, 2021, 10:13:36 AM |
|
I installed GPG Keychain on macOS Big Sur, imported both Thomas Voegtlin's and SomberNight's public keys, and downloaded Electrum-4.1.5 along with ThomasV's and SomberNight's release keys into the Downloads folder. When I try to "Verify signature of file" for electrum-4.1.5.dmg, the error message says, "No signatures found." How to fix this?
Assuming all the files were in the same folder, did you create a key for yourself to verify against it? I am not a mac user so it's hard for me to understand how it works in mac machine. But in windows. You download Electrum, download the signature for the same version. Have them in the same directory. Then verify it against your own key.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
October 24, 2021, 11:32:36 AM |
|
You download Electrum, download the signature for the same version. Have them in the same directory. Then verify it against your own key. No, you don't verify Electrum or its signatures against your own key. The only reason you would need to interact with your own key is if you wanted to sign ThomasV's or SomberNight's key with your own to tell your GPG software that these keys are trusted. This step is not necessary. If you don't do this step, then when you verify the Electrum download against ThomasV's or SomberNight's key using GPG Keychain, it will simply tell you "undefined trust", because your GPG software does not know if you trust ThomasV's key. It will still return a valid signature check.
|
|
|
|
BitcoinGirl.Club
Legendary
Offline
Activity: 2954
Merit: 2783
Bitcoingirl 2 joined us 💓
|
|
October 24, 2021, 07:22:02 PM |
|
No, you don't verify Electrum or its signatures against your own key. The only reason you would need to interact with your own key is if you wanted to sign ThomasV's or SomberNight's key with your own to tell your GPG software that these keys are trusted. This step is not necessary. If you don't do this step, then when you verify the Electrum download against ThomasV's or SomberNight's key using GPG Keychain, it will simply tell you "undefined trust", because your GPG software does not know if you trust ThomasV's key. It will still return a valid signature check.
That's exactly I wanted to express but somehow I wrote a totally different story. I should have been careful not to confuse the reader. Yes you are correct. I download ThomasV's, add it in my trusted list and then do the rest.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
October 30, 2021, 05:54:26 AM |
|
How to fix this?
Have you tried followed the guide on Bitzuma that shows how to verify the Electrum binaries on MacOS: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/ I'm not a MacOS user, but the guide seems quite comprehensive and seems to cover all the steps.
|
|
|
|
DireWolfM14
Copper Member
Legendary
Offline
Activity: 2338
Merit: 4541
Join the world-leading crypto sportsbook NOW!
|
|
October 30, 2021, 02:08:27 PM Last edit: November 20, 2021, 04:34:47 PM by DireWolfM14 |
|
I wonder if the OP is having trouble because of the new policy of providing signatures from multiple developers. Just to reiterate the issue; the signature files' names differ from the binary file's name, which prevents GIU GPG applications (with default settings) from reading the binary file when one double-clicks on a signature file. GUI applications expect the signature file's name to be the same as the binary file's name, with the addition of .asc extension. For example; Binary file name: electrum-4.1.5.dmgSignature file name: electrum-4.1.5.dmg.ascCurrently if you download the binary and the signature files you'll have the following file names: The binary file name: electrum-4.1.5.dmgThomasV's signature file name: electrum-4.1.5.dmg.ThomasV.ascSomberNight's signature file name: electrum-4.1.5.dmg.sombernight_releasekey.ascEmzy's signature file name: electrum-4.1.5.dmg.Emzy.ascI recently learned a trick that makes it a lot easier to verify all the signatures at once. All you have to do is save all the signatures in one text file, and save it with the typical naming standard, i.e. as in the example above; electrum-4.1.5.dmg.asc. For example: -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEZpTY3nvo7lYxvtlQK9WCS3+UcOYFAmD1wuMACgkQK9WCS3+U cOZ8lg/8C4E2VrrneIJ0PvCaPvB7wj0hBg2Spfqsgr43vyeQm52KQSiQ/0TcQUls 7j7pu5rklVii+NRXEnHh9T9A4m9n2SEgw53n+wQrEuK8VQWerzfei8jQ5QR6XkEd EGbsE5YT4FVvvHdyuo2gc92YSG81GwDXHlvGF91ipSLe4Jmg7vQ+w/ccPebvnA2Z ccqff3iTw8TWJ8PVD+Lq7LHZPuZSZxGftihxZIfMoSWt1xH7oslIM7ygi2MVfDpi BtfQF4diYyHBjMEE/g8BTnUfldTuP+ODmsNhw49W/QRTuiDWkb5j5HpLXhJ/+inA vwwwbKaEqXM4L62/VSvIvC18gWXAR/CLV56ibw0nQgKvdWgsf+UAiVlvSk82QHoJ RWvJG4IwI7jbEkA+LJ4yGCIZ7hTZ018Gp0i3uNjfY2+oe5GecgbyPTbdPTEU/a/v UwM/gNX9BycbVMDYNeqWor10gTUrreKFLyYu8V3IsMxjMqPfWSgjGzln6it4UY8i SSN/XTh/Ol4U+6TVgqDsbRwWOCyomLgltjWiv+osYKfF4xt99GWiPaN4H3NG+7et BotndWrCibJqEFkGlml9ilJUYlBsbQuGHF0vhiJcYRZTumYJU0ABwbQQ/HboM2jT 7CDdNAheFpE+xz2F3JSeXrWBHnnYP3k/bVMJwSmSgrvxVRzPpfM= =K00C -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEDu3P1cr7RZBnNJsjyp7uxD35EdwFAmD10G8ACgkQyp7uxD35 EdyZEA/9HI4bbfTDsRSRA4Q6PIq1SLuwtf/5eYkCAb9R13X0bcJa50Q8+je2v7JF ZlAMJT9ueTKOpC043CLXmd8m+pD3qnIOHZXLbyIHmN6WEIHUbtp9ixLOlhMB6GXe FfD8iVEDNIzyOr1TaiXnSTPatVdHJ3+pG2BPO3rbnwaeLod8FNrhrnUEfYs3ESI2 L36B5gnT5ua8Mj3SVAWGkNbioHt16w9txSjjmYGc0FQYMUsfCz5PmQyco+PUtHrL 1WuKuTQ5Vl765nZD68hPTeKyIE0OqI0htnqIyJ8ImEOFesXicqgQOQ16uhLCmwP4 Vdd/Fiz+dT+16FXnQCQsz13LDIM6U6ijJ79sqMeTdMn5ADX57Iur1B4GDXhTlCW/ halXPQQRWlOZF/SkzSd2R7M8A/JLn+1Orgqy/Fv5BAkeGnuMlkGY7LA6lUkETRYe 5klhtauC5CihKdP7leOKkM8QR5RIfbVJqUTGZaOstP8xGJTKXIkmpeUn++PvJVB0 +0X/G3gaf9J/jWMsLk/MjKIkjszOVz/KWOtfi+Mr4Zjuq9Ju+xQAK7XAtUxt5a5l HMrX1kDCpsHIe9jg2WOUp6kh7AJAOStwYBAYQLAUz/y6pDjZgeg6bNSlMQM/bpMU ZMWv+pMqE7YuapJJnu58ubhjj3qTfJU/pXLIUG5B3P/XT1vPOQo= =gGIz -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEY32x4jNw+Er/iMzgMVI0fQfaYnwFAmD5aVUACgkQMVI0fQfa YnxJZw//T3F6UwwhZsePQw822ACDUyeEuq5IcKF7m+9/4HlaG8TmUPDS5CXK0Jbl SX5uyhdevYneCxf+uHQUwKTvaaOU6f07U+IgtyzXjbqZQ2YUNb/eRZLKq3auG9bO cBG1dfoamNzrsvvLCQvFEYeieRik2Kg3mCGMCZuaaqtQT8zQv1aGRE63T0Dq5I9v NWOvbFMsmF2XDSiOMesIP6yxgYlKJG+KJ/Mbj6h2ZJ3v9bE68XrjnrWmz75btQ67 qlHvcP7+RU8eQb1+Brk3yYdm9vGKyhrPBFJb8wmqcRfE5f+tAR2Fvdt+78pzygnu Gj7ZW3tH6egpeweVcIWGMa1YumrecbW9RjgjPyGd6jrJGXtSrcO8URO8GQkMWYel cu5sJEr6izVGJiouIN+Xszjc2NR2ar2ZfYiWknlN4KI7LdhlhDNGwGwREUeGNQvO RRZRydLC+42KEIyPLBs9ZI7QP1zt5vvmhwTep9vH2sPCI7ehlkPTLzrEK9Yy/lbz f7bkwhxB01wtJvJycdnmIz8OMMN0iK9AwZXOMsvFY320kLPgB8iO30AvrXvhO5L4 bFrr/M9G+pNJBd3pyx4G/dTkNUHj90yeKhyiIH37TPO1ERF7GihEyikyv44FXKAz ZTOEKqEPrkO75dpfaIO2fKHkAQouBReVP1q7JLsKfc51lGdmOy8= =3nnA -----END PGP SIGNATURE-----
Now you can double-click the .asc file and your GPG app will verify all the signatures in the file: Or, you can use the CLI to verify all signatures:
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
October 30, 2021, 05:38:34 PM |
|
I recently learned a trick that makes it a lot easier to verify all the signatures at once. All you have to do is save all the signatures in one text file, and save it with the typical naming standard, i.e. as in the example above; electrum-4.1.5.dmg.asc. Now that is a neat trick. Didn't know that, always just verified the signatures one by one. Why don't the Electrum devs provide a single combined signature .asc file then, alongside the three individual ones? What happens if my GPG software does not contain all the necessary keys? For example, if I had imported ThomasV's and SomberNight's key, but not Emzy's key, I presume it would just return two valid signatures and one unknown one?
|
|
|
|
DireWolfM14
Copper Member
Legendary
Offline
Activity: 2338
Merit: 4541
Join the world-leading crypto sportsbook NOW!
|
|
October 30, 2021, 05:56:03 PM |
|
Why don't the Electrum devs provide a single combined signature .asc file then, alongside the three individual ones?
I don't know, I was thinking of opening a pull request to ask for just that. In fact, I got the idea from the Bitcoin Core development team, who also started issuing multiple signatures since the latest release. They issued all the developer's signatures in one file. What happens if my GPG software does not contain all the necessary keys? For example, if I had imported ThomasV's and SomberNight's key, but not Emzy's key, I presume it would just return two valid signatures and one unknown one?
Good question, I hadn't tried that so I decided to. You're correct, it returns two good signatures, and one "unavailable certificate" error. Here's what it looks like in Kleopatra: And command line:
|
|
|
|
FibonacciTrader (OP)
Newbie
Offline
Activity: 8
Merit: 6
|
|
October 30, 2021, 09:13:41 PM Last edit: October 30, 2021, 09:24:34 PM by FibonacciTrader Merited by DireWolfM14 (1) |
|
Yes, I followed the Bitzuma guide but encountered problems: 1) The Bitzuma guide doesn't say that the lookup key ID may not work due to key server failure sometimes. This happened to me, and I learned the hard way, after much additional time, how to download Thomas V's key file from https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc, import it into the GPG application, and verify the fingerprint. 2) The Bitzuma guide also does not account for the signature files with specific dev's names, as discussed in this thread. These .asc files are not recognized by GPG on macOS and must be renamed into a single file that matches the electrum .dmg file's name, with .asc appended, as @DireWolfM14 so clearly described. This worked to verify the valid signatures for the file. I sent an email to Bitzuma with this feedback, which will hopefully be incorporated into the guide to save other users' time and headache. Also great to know we can use CLI with the command 'gpg --verify electrum-4.1.5.dmg.asc' Thank you, @DireWolfM14! And other folks for your input.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
October 30, 2021, 09:24:34 PM |
|
Yeah... this new method of having multiple .asc files has kinda broken pretty much all of the older guides for verifying Electrum It certainly caused me a few moments of "WTF??!?" when I attempted to do my usual "download .exe, download .asc, right click and select 'verify'" method of verifying the Electrum downloads when the change first happened Hopefully, they take onboard the idea to just put all the signatures into the one file like the Bitcoin Core team do.
|
|
|
|
Coin-Keeper
|
I meant to respond on this thread a couple of weeks ago but forgot until now. Sometimes WE make things way more difficult than they need to be. Lets say you are old school and only want to rely upon the original "big guy" Thomas' signature alone to verify your downloads. This is an example and I am not slandering the "cred" of the other devs there. Using Kleopatra we can still make this very easy.
I just did this again a few minutes ago to make sure nothing has changed in the process. Download Electrum-4.15 and then Thomas' sig file to your desktop. As noted in posts above this one you will get a sig file named:
electrum-4.1.5.dmg.ThomasV.asc
The mis-match file names (between download and sig) create an issue for Kleopatra. Soooooooo easy to fix. Just rename the sig file to:
electrum-4.1.5.dmg.asc
By simply backspacing .ThomasV off the filename you do NOT change the security of the verification that Kleopatra uses.
100% SECURE way to continue verifying with GPG and one sig file if that is your preference.
As a reminder it is critical that the download file name and sig file name MATCH, except for the .asc addition at the end of the sig file name. EASY SOLUTION!!
|
|
|
|
DireWolfM14
Copper Member
Legendary
Offline
Activity: 2338
Merit: 4541
Join the world-leading crypto sportsbook NOW!
|
|
November 17, 2021, 02:20:34 AM |
|
~
You get the idea from a gpg perspective. I do, however think it's more secure to check all the signatures available. There is a chance that one key might get compromised, and the "big guy" makes the big target. The odds of two getting compromised are quite remote, and three is nearly impossible. The more the merrier.
|
|
|
|
Pmalek
Legendary
Offline
Activity: 2940
Merit: 7536
Playgram - The Telegram Casino
|
|
November 17, 2021, 10:02:27 AM |
|
As noted in posts above this one you will get a sig file named:
electrum-4.1.5.dmg.ThomasV.asc
The mis-match file names (between download and sig) create an issue for Kleopatra. Soooooooo easy to fix. Just rename the sig file to:
electrum-4.1.5.dmg.asc That's how I do it as well. Unless you want to do what DireWolfM14 did by merging all signatures in one file, you can always verify them one by one by downloading each signature file and making sure the names are in the correct format before you start the verification process with Kleopatra.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
gatsu100
Jr. Member
Offline
Activity: 51
Merit: 5
|
|
November 17, 2021, 12:34:58 PM |
|
i use windows 10...how to resolve?
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
November 17, 2021, 01:56:24 PM |
|
i use windows 10...how to resolve? You need to import SomberNight's and Emzy's private keys in to Kleopatra. It is giving you a valid signature for their two keys but it does not know if the keys are correct because you haven't imported them like you have with ThomasV's key. Grab their keys from here ( https://github.com/spesmilo/electrum/tree/master/pubkeys) and import them in Kleopatra, then try again.
|
|
|
|
gatsu100
Jr. Member
Offline
Activity: 51
Merit: 5
|
|
November 17, 2021, 05:52:42 PM |
|
now i have this answer
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
November 17, 2021, 08:22:12 PM |
|
now i have this answer Congrats, you have successfully verified your Electrum download with all three keys. You can now safely install and start using it. The reason it tells you that each key is not certified by you or anybody else is simply because although you have imported these keys in to Kleopatra, you have not yet told Kleopatra you trust these keys, and no one in your web of trust trusts them either. This warning can be safely ignored if you want, or you can now tell Kleopatra that these keys are trusted to remove this warning. I can confirm that the three keys you have match the three keys I have, and they also match the three keys DireWolfM14 has shown in his screenshots higher up in this thread. To do this on Kleopatra, you'll first need to create your own PGP key pair using File -> New Key Pair and following the instructions. Once you've done that, you can then right click on any of the three developer's keys and click Certify, and certify their key with your own key. Once you've certified all three keys, verify your Electrum download again and that warning will have disappeared.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
November 18, 2021, 06:52:03 AM Last edit: November 14, 2023, 11:35:26 PM by HCP |
|
If you click the blue "Mostra il registro di controllo" (show the audit log) link in your 2nd screen shot... you will see the "raw" output of the GPG log. Here you will see that there are definitely "good signatures" ("buona firma")... something like this:
|
|
|
|
gatsu100
Jr. Member
Offline
Activity: 51
Merit: 5
|
|
November 18, 2021, 09:29:52 AM |
|
thanks guys now i feel safer
|
|
|
|
|