gpg signature verification on web site https://electrum.org/#download is giving "Bad signature" #7394
Comments
|
Could you share what commands you are running and their output? See e.g. https://electrum.readthedocs.io/en/latest/gpg-check.html |
|
I downloaded the appimage for linux along with signature Thomasv into same
folder and then right click on the ThomasV.asc and clicked verify with
signature on the signature file. It returns 'Bad Signature".
I am following the procedure as per shown in youtube video
https://www.youtube.com/watch?v=ZYpi4A20_lQ&t=216s
and
documentation at
https://blog.thestever.net/2019/02/26/upgrading-electrum-on-tails-to-3-3-4/.
Please let me if my process is not correct and if you have any YT video on
latest process. Thanks.
…On Tue, Jul 6, 2021 at 2:00 PM ghost43 ***@***.***> wrote:
Could you share what commands you are running and their output?
See e.g. https://electrum.readthedocs.io/en/latest/gpg-check.html
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7394 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQL6GZL5D4SRCBY4BGAEFETTWNAELANCNFSM4746Y4NQ>
.
|
|
What is the full name of the appimage file and the signature files you downloaded? I suspect you might be mixing up the GPG key file and the signature file. |
|
This is the link I downloaded from
https://electrum.org/#download
Linux - Appimage + signatures ThomasV & SomberNight.
…On Tue, Jul 6, 2021 at 3:00 PM ghost43 ***@***.***> wrote:
What is the full name of the appimage file and the signature files you
downloaded?
Do you have the full URLs where you have downloaded them from?
I suspect you might be mixing up the GPG key file and the signature file.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7394 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQL6GZKMEFFDRPBSBDSLYR3TWNHDVANCNFSM4746Y4NQ>
.
|
|
I am attaching text file copy of ThomasV signatures provided in the
electrum web site. You can see that both signatures are different thought
both of them states ThomasV signatures.
…On Tue, Jul 6, 2021 at 4:46 PM Adrian Vic ***@***.***> wrote:
This is the link I downloaded from
https://electrum.org/#download
Linux - Appimage + signatures ThomasV & SomberNight.
On Tue, Jul 6, 2021 at 3:00 PM ghost43 ***@***.***> wrote:
> What is the full name of the appimage file and the signature files you
> downloaded?
> Do you have the full URLs where you have downloaded them from?
>
> I suspect you might be mixing up the GPG key file and the signature file.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#7394 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AQL6GZKMEFFDRPBSBDSLYR3TWNHDVANCNFSM4746Y4NQ>
> .
>
|
|
email attachments do not work in github comments.
A GPG key can sign a message (file) which results in a signature. |
|
I agree what you state. But verification was giving me "Bad Signature'
status.
…On Tue, Jul 6, 2021 at 4:56 PM ghost43 ***@***.***> wrote:
email attachments do not work in github comments.
I am attaching text file copy of ThomasV signatures provided in the
electrum web site. You can see that both signatures are different thought
both of them states ThomasV signatures.
A GPG key can sign a message (file) which results in a signature.
Each file neccessarily have a different signature corresponding to it, for
a given key.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7394 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQL6GZI7PG6U2AHGNUNJ5LTTWNUXDANCNFSM4746Y4NQ>
.
|
|
I tried again. The result is "electrum-4.1.4-x86_64.Appimage:Unknown
Signature - Signing key not in keying."
…On Tue, Jul 6, 2021 at 4:58 PM Adrian Vic ***@***.***> wrote:
I agree what you state. But verification was giving me "Bad Signature'
status.
On Tue, Jul 6, 2021 at 4:56 PM ghost43 ***@***.***> wrote:
> email attachments do not work in github comments.
>
> I am attaching text file copy of ThomasV signatures provided in the
> electrum web site. You can see that both signatures are different thought
> both of them states ThomasV signatures.
>
> A GPG key can sign a message (file) which results in a signature.
> Each file neccessarily have a different signature corresponding to it,
> for a given key.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#7394 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AQL6GZI7PG6U2AHGNUNJ5LTTWNUXDANCNFSM4746Y4NQ>
> .
>
|
|
Another status showing is "ThomasV.asc: Bad Signature- Bad or forged
signature. The signed data was modified."
…On Tue, Jul 6, 2021 at 5:21 PM Adrian Vic ***@***.***> wrote:
I tried again. The result is "electrum-4.1.4-x86_64.Appimage:Unknown
Signature - Signing key not in keying."
On Tue, Jul 6, 2021 at 4:58 PM Adrian Vic ***@***.***> wrote:
> I agree what you state. But verification was giving me "Bad Signature'
> status.
>
> On Tue, Jul 6, 2021 at 4:56 PM ghost43 ***@***.***> wrote:
>
>> email attachments do not work in github comments.
>>
>> I am attaching text file copy of ThomasV signatures provided in the
>> electrum web site. You can see that both signatures are different thought
>> both of them states ThomasV signatures.
>>
>> A GPG key can sign a message (file) which results in a signature.
>> Each file neccessarily have a different signature corresponding to it,
>> for a given key.
>>
>> —
>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub
>> <#7394 (comment)>,
>> or unsubscribe
>> <https://github.com/notifications/unsubscribe-auth/AQL6GZI7PG6U2AHGNUNJ5LTTWNUXDANCNFSM4746Y4NQ>
>> .
>>
>
|
Again, you are most likely mixing up the GPG key file and the signature file; and checking the binaries against mismatched signature files. |
|
… On Wed, Jul 7, 2021 at 9:51 AM ghost43 ***@***.***> wrote:
Do you have the full URLs where you have downloaded them from?
Again, you are most likely mixing up the GPG key file and the signature
file; and checking the binaries against mismatched signature files.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7394 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQL6GZOEHROEDGXYMPSUBPDTWRLW5ANCNFSM4746Y4NQ>
.
|
|
In windows, I get message that electrum app is transmitting data to
https://electrum.hodlister.co (45.154.252.109:50002).
…On Wed, Jul 7, 2021 at 12:46 PM Adrian Vic ***@***.***> wrote:
https://electrum.org/#download
On Wed, Jul 7, 2021 at 9:51 AM ghost43 ***@***.***> wrote:
> Do you have the full URLs where you have downloaded them from?
>
> Again, you are most likely mixing up the GPG key file and the signature
> file; and checking the binaries against mismatched signature files.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#7394 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AQL6GZOEHROEDGXYMPSUBPDTWRLW5ANCNFSM4746Y4NQ>
> .
>
|
|
By full URL to the files you have downloaded, I mean e.g.: |
Electrum connects to multiple remote servers for e.g. bitcoin block headers. |
|
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage.ThomasV.asc
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage.sombernight_releasekey.asc
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/sombernight_releasekey.asc
…On Wed, Jul 7, 2021 at 1:22 PM ghost43 ***@***.***> wrote:
By full URL to the files you have downloaded, I mean e.g.:
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImagehttps://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage.ThomasV.asc
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7394 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQL6GZMMZZ6BW47W5SBJV2DTWSENPANCNFSM4746Y4NQ>
.
|
|
Ok, so given these two files: Try renaming |
|
I shall. Please give me a hour time as I am going for lunch. Shall try your
advise and let you know the status. Thanks
et
…On Wed, Jul 7, 2021 at 1:34 PM ghost43 ***@***.***> wrote:
Ok, so given these two files:
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImagehttps://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage.ThomasV.asc
Try renaming
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage.ThomasV.asc
to
https://download.electrum.org/4.1.4/electrum-4.1.4-x86_64.AppImage.asc
and try to check validity after that
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7394 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQL6GZOCYIFVP6RN7RMDOLLTWSFZTANCNFSM4746Y4NQ>
.
|
|
@Adrianvic032 I happened to be reading this and was curious about whether or not you tried this, and what your results were? |
|
I encountered a similar challenge on macOS. When I tried to "Verify signature of file" in the GUI context menu, with electrum-4.1.5.dmg, the error message said, "No signatures found." This got resolved by removing the dev's name from the .asc file. @SomberNight To save users' time from renaming each .asc file, would it be possible to publish a .asc file that includes all the devs signatures together with the appropriate name (ex. 'electrum-4.1.5.dmg.asc')?
|
|
I am facing a similar challenge on Linux mint (20.3) https://download.electrum.org/4.1.5/Electrum-4.1.5.tar.gz First I imported the public key
Then: It seems that there are 3 signatures and only one of them matches. This is what my terminal shows me on the first two (sorry, haven figured out how to change the language of the terminal yet...), so I translate it mysef `gpg: signature created 22 jul 2021 14:49:37 CEST gpg: with RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: signature created 19 jul 2021 21:19:51 CEST gpg: signature created 19 jul 2021 20:22:29 CEST `gpg: WARNING: this key was not verified gpg: No indication that signature belongs to owner. fingerprint of the primary key: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6` |
Yes, exactly. There are now multiple signatures included in the .asc on the website.
This has been done, as above (see #7579). Closing this, as there are multiple different issues here, all of which I believe to have been answered. |
Importing the other asc file gives an error (no valid openPGP data found) . |
An .asc file can be either some signature(s) or some public key(s). The other public keys are linked on the website just above the table on the download page:
or see here in the website source code: |
|
Ah yes, I see it now above the table. I went to "How to verify GPG signatures" and thatś the explanation I followed. Here there is only mention of ThomasV's signature. Thanks for the explantion. I sort of understand the process now. So to resume: download the 3 public keys: Using PGP you can see the RSA key. For example Using Then there is a signature file Electrum-4.1.5.tar.gz.asc of the package. To verify that the package is actually not tampered with we do the verify command: This tells me 3 times the signatures are good (and I can see the RSA keys match with the ones I saw using gpg --show-keys). I guess this is enough and I can ignore the warnings. |
and others
Hi there,
Thanks for all the efforts you put into this application. I was trying from https://electrum.org/#downloading to install on Ubuntu/Tails but the verify signature gives "Bad Signature" status. Please advise. thanks
The text was updated successfully, but these errors were encountered: