pull down to refresh

473 sats \ 41 replies \ @Natalia 24 Feb \ on: The Curious Case of Digital Signatures crypto
practice 2. verifying the Electrum Wallet
  1. found the public key from https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc
Imported the key, also there are other devs are listed on the site.
  1. verified the file.
gpg --verify electrum-4.5.3.dmg.asc

gpg: assuming signed data in 'electrum-4.5.3.dmg'
gpg: Signature made Fri 23 Feb 12:32:06 2024 +03
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) <it
one thing really strange is that when I tried this again, it says
gpg: can't open 'electrum-4.5.3.dmg.asc': No such file or directory

gpg: verify signatures failed: No such file or directory
  1. I can't find the SHA256 to continue šŸ˜³
write
preview
0 sats \ 40 replies \ @ek OP 24 Feb freebie
  1. found the public key from https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc
Imported the key, also there are other devs are listed on the site.
Good, I think using Github as the source of trust is okay. But remember: the more sources that say that this is indeed the correct key, the better!
one thing really strange is that when I tried this again, it says
gpg: can't open 'electrum-4.5.3.dmg.asc': No such file or directory

gpg: verify signatures failed: No such file or directory
Mhh, and you are sure you didn't (remove) the file? Did you run gpg --verify in the correct folder?
  1. I can't find the SHA256 to continue šŸ˜³
If the software you downloaded was signed, then you don't need separate hashes. The signature contains the hash to verify integrity. I can tell from your comment that this is the case for Electrum since the signature is named electrum-4.5.3.dmg.asc and the software is in electrum-4.5.3.dmg.
Sparrow Wallet was just a special case where not the software was signed but the hashes. Then you need to run another command (sha256sum --check <hashfile> --ignore-missing) to verify the software.
I mentioned that I don't know why Craig did it like this, I only had an educated guess:
Conclusion
So what we just did was to basically verify the authenticity and integrity of the file that contained the hashes for all binaries with gpg --verify. When the hashes could be trusted, we could use them to make sure that the software was not tampered with. But why not simply provide a digital signature for the binary itself?
I actually don't know. But my educated guess is that it's related to convenience. Instead of providing a signature for every binary, the hashes are signed. Using sha256sum --check with --ignore-missing then simply ignores all files that don't exist. So I am basically guessing that there is no way to do something similar with digital signatures. Maybe someone knows more?