GPGTools on macOS shows signature checks of aggregated file without scrollbar

[aschmutt]

I downloaded latest Electrum Release (4.2.1) for MacOS from the homepage and verified the signature.
https://electrum.org/#download

But then I got this error:

Then I checked the signature and got this:

Question is: did you get hacked, or did you forget to update Download Page with new Signature Files?

[SomberNight]

Hi, not sure what program you are using to check, but this is what command-line gpg outputs:

$ gpg --verify electrum-4.2.1.dmg.asc 
gpg: assuming signed data in 'electrum-4.2.1.dmg'

gpg: Signature made Sun 27 Mar 2022 17:31:59 BST
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) <it@oeste.de>" [unknown]
gpg:                 aka "Stephan Oeste (Master-key) <stephan@oeste.de>" [unknown]
gpg:                 aka "Emzy E. (emzy) <emzy@emzy.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9EDA FF80 E080 6596 04F4  A76B 2EBB 056F D847 F8A7
     Subkey fingerprint: 637D B1E2 3370 F84A FF88  CCE0 3152 347D 07DA 627C

gpg: Signature made Sun 27 Mar 2022 14:55:54 BST
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [ultimate]

gpg: Signature made Sun 27 Mar 2022 06:57:04 BST
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

The signature file contains signatures from three different keys/people.

[aschmutt]

I used GPG Suite with OpenPGP on Mac: right click and verify => then comes the error message from my first post.
So obviously it checks only the first entry, not all three of them.
The solution would be to add all 3 signatures to the Downloads Page?

On commandline it recognizes the Signature of ThomasV correctly:

[SomberNight]

The solution would be to add all 3 signatures to the Downloads Page?

Right... that was what we were doing previously, which had its own issues: #7579
In fact, the main reason we changed to a single aggregated sigfile was that it is supposed to work better with GUI verifiers such as what you are using. :/

I've tested with Kleopatra (+gpg4win) on Windows, and when double-clicking the .asc file, it verifies all three signatures as expected.

I used GPG Suite with OpenPGP on Mac: right click and verify => then comes the error message from my first post.
So obviously it checks only the first entry, not all three of them.

That's not so obvious to me -- could it be that it checks all of them but if any errors, it shows that error?

[SomberNight]

@ecdsa should we maybe hack the order of the sigs in the aggregated signature file so that yours comes first?

https://github.com/spesmilo/electrum-web/blob/d91a7cb5e6b83d13a290d2f0beca9014b498c25f/deploy.sh#L64-L65

[ecdsa]

@ecdsa should we maybe hack the order of the sigs in the aggregated signature file so that yours comes first?

how would that help?

[SomberNight]

Based on OP's screenshot, I expected GPGTools to verify the sigs in order and display the first error. The source of confusion for some users is that they expect your signature, so if the error they get mentions some other key, apparently they freak out. (see present issue, this one, and e.g. this reddit thread)

However, I have now tested myself, and this is not the whole story...

---

This is what I am presented with when using GPG_Suite-2022.01.dmg (from https://gpgtools.org) on macOS 10.15.
Note the scrollbar! And note that the scrollbar is missing in OP's image.

pic1

Upon re-reading #7872 (comment) , note that the user mentions being able to scroll but implying there being no scroll bar...

Here is the expanded window:

pic2

So GPG_Suite/GPGTools shows results for all signatures, in order, but the default window size is exactly as large that only one signature-check fits, and that apparently there is no scroll bar for some users.