Electrum verification question/issue?

[bedlaminbelgium]

  Ok...So I downloaded electrum thru https://electrum.org/#home

  I also download the keys from github keys for thomasV as per the following thread https://bitcointalk.org/index.php?topic=5240594.0

  Also downloaded other keys assosciated on github with electrum. https://github.com/spesmilo/electrum/tree/master/pubkeys

  I ran Kleopatra and I get the following..see image below. Is this good enough? I am seeing something say 3 signatures cannot be verified

https://i.imgur.com/rA3jcYV.jpg

  

  

[nc50lc]

It's successfully verified; However, you haven't certified neither of the three keys.

To certify the keys: Open Kleopatra, right-click on Thomas Voegtlin's key, select "certify", tick all three checkboxes and the one below "I have verified the fingerprint".
Then click next and finish the rest of the steps. Do this to the other two keys.

[bedlaminbelgium]

It's successfully verified; However, you haven't certified neither of the three keys.

To certify the keys: Open Kleopatra, right-click on Thomas Voegtlin's key, select "certify", tick all three checkboxes and the one below "I have verified the fingerprint".
Then click next and finish the rest of the steps. Do this to the other two keys.

 Thats it?  Awesone!  What exaclty happens when I certifiy? It is confirming these keys are legit?  Thankyou!

[hosseinimr93]

Thats it?  Awesone!  What exaclty happens when I certifiy? It is confirming these keys are legit?  Thankyou!

Electrum is an open-source wallet and the source code is available to anyone.
Scammers can easily change the source code and make a fake version which looks like the original version.
With verifying the signature, you actually verify that you have downloaded the original version of eletrum.
Note that even if you are sure that you have downloaded electrum from its official website, you still need to verify the signature. Because, there is no guarantee that the website hasn't been hacked

[BlackHatCoiner]

Thats it?  Awesone!  What exaclty happens when I certifiy? It is confirming these keys are legit?  Thankyou!

When you certify a key you essentially inform the program that you trust the signer. This isn't necessary, but it can be used in the future if you want to re-verify the new Electrum versions.

Unfortunately, someone who just wants to verify the authenticity of their wallet software must be familiar with things they don't even understand. That's a drawback of Kleopatra.

[bedlaminbelgium]

Thats it?  Awesone!  What exaclty happens when I certifiy? It is confirming these keys are legit?  Thankyou!

When you certify a key you essentially inform the program that you trust the signer. This isn't necessary, but it can be used in the future if you want to re-verify the new Electrum versions.

Unfortunately, someone who just wants to verify the authenticity of their wallet software must be familiar with things they don't even understand. That's a drawback of Kleopatra.

   That is true and thankyou. Is there any other way besides Kleopatra? An easier way to verify?

  I mean if I download the software thru the electrum website, shouldnt that be enough or is there a chance it couldve been compromised?

[BlackHatCoiner]

I mean if I download the software thru the electrum website, shouldnt that be enough or is there a chance it couldve been compromised?

The reason why you're verifying the signature has been written above, by hosseinimr93.

A hacker can have compromised the website for a while and insert their own, malicious version of Electrum, right before you visit it. The developers can't guarantee you that the site won't be compromised, but by providing a PGP signature, they guarantee that whoever verifies the binaries won't be victimized. A hacker would need to compromise both electrum.org and github.com at the same time to succeed.

That is true and thankyou. Is there any other way besides Kleopatra? An easier way to verify?

You don't want to mess with the command line, so just stick with Kleopatra. Besides, you now know how to do it.

[bedlaminbelgium]

I mean if I download the software thru the electrum website, shouldnt that be enough or is there a chance it couldve been compromised?

The reason why you're verifying the signature has been written above, by hosseinimr93.

A hacker can have compromised the website for a while and insert their own, malicious version of Electrum, right before you visit it. The developers can't guarantee you that the site won't be compromised, but by providing a PGP signature, they guarantee that whoever verifies the binaries won't be victimized. A hacker would need to compromise both electrum.org and github.com at the same time to succeed.

That is true and thankyou. Is there any other way besides Kleopatra? An easier way to verify?

You don't want to mess with the command line, so just stick with Kleopatra. Besides, you now know how to do it.

   Yeah...I didnt see hosseinimr93 response. So true.

    Not sure what command line you are referring to? I was asking if there was another program like Kleopatra but easier


     Regardless, your right. I now know...thanks all for the help. Stay Hodling!  

[khaled0111]

Not sure what command line you are referring to? I was asking if there was another program like Kleopatra but easier

Kleopatra can be used either from the graphical user interface or from the command line interface. Using the command line is a bit harder and require more experience so better use the GUI.
To answer your second question, yes there are many other PGP software but Kleopatra is, imo, the easiest to use thanks to its user-friendly graphical interface.

[nc50lc]

It's successfully verified; However, you haven't certified neither of the three keys.

Thats it?  Awesone!  What exaclty happens when I certifiy? It is confirming these keys are legit?  Thankyou!

Aside from Blackhatcoiner's reply, it's also useful in case you imported a fake key and successfully verified a fake electrum with a signature of it.
If you've certified only the real keys, the real Electrum will show that it has "valid signatures" instead of what you've seen "the data could not be verified".

I haven't mentioned but, before certifying a certificate, it's very important to look for some legitimate source where you can verify the fingerprint.
For example: ThomasV's certificate that I've imported has a fingerprint 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 which is
the same as the one in the official documentary: https://electrum.readthedocs.io/en/latest/gpg-check.html and from various users' replies.
But better if you can verify it from the person himself: https://github.com/ecdsa