I am not a programmer.
I wish to verity an Electrum download and install it.
I have spent much time finding and reading and trying different instructions.
I have not found simple and complete instructions to use Kleopatria.
In a fit of anger against MS—the OS is one giant commercial, and the Gates family are anti-human— I switched to Linux, (Mint 22 Cinnamon) and removed all the MS stuff. I did this prematurely, and lost some of my tutorials.
I have downloaded these files:
They are in folder, Documents>B>Electrum electrum-4.5.5-x86_64.Appimage and electrum4.5.5-x86-Appimage.asc.
ThomasV is the maintainer of Electrum. You can import his public key from GitHub or use the fingerprint 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6. If importing via fingerprint doesn’t work, download the key from GitHub and use the import button in Kleopatra.
Please define: Key, certificate, and fingerprint.
Please recommend a place where I can learn to do this where no experience and prior knowledge is assumed.
Thank you for your attention.
joh
The most comprehensive resource to learn the GnuPG usage, is the manual:
The only relevant chapter for you is chapter 4: Invoking GPG
For more specific help, I’d like to verify first:
Do you want to use the command line (terminal) or a graphical interface?
The second option would be easier, but if you want to dive deeper, the command line is the better choice.
Thank you for the instant response and helpful recommendations.
I would like to learn them both, and I will do as you recommend.
joh
I reviewed Ch. 4. I was overwhelmed. I made half a page of notes for a few key commands and options. I am still uncertain of the difference between the two.
I feel like an orangutan in a violin class.
My goal is to use Electrum with maximum safety to access my little stack and get the use of some dollars, or whatever it is now.
Please give me instructions to do that in the easiest-to-understand manner.
joh
I fully agree that the manual is very focused on technical details, not on users’ needs.
The steps, using the graphical interfaces are:
Open the program “Passwords and Keys”
Unfortunately, Mint 22 doesn’t come with a reasonable, working and up-to-date list of keyservers. So, first, we need to add one. Go to the preferences:
In the search field, enter the fingerprint of the key you are searching for and click Search.
In my tests, I had to disable the other keyservers (you can also remove them in the preferences window), to get a result. Probably the other pre-configured keyserver don’t behave well and block the search.
You should get a result like this:
Click the download button on the right to import it
The download button turns into a checkmark:
Now that you have the key, we can then verify the file signature.
Unfortunately, Mint 22 doesn’t come with a graphical program to verify signatures like other operating systems and the required package (seahorse-nautilus) is not available
So I’m afraid we actually need to use the command line for the verification.
Open a terminal and switch to the directory containing the downloaded files, e.g. Downloads: cd Downloads. You can verify being in the correct location by running ls to list the files
Run gpg --verify electrum-4.5.5-x86_64.AppImage.asc
You should see Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" as here:
I appreciate your help.
An example of how lost int the woods I am is that I do not know where to go and what program or application to run to follow your first instruction, "…using the graphical interfaces…open the program “Passwords and Keys”. Please give me those directions. I opened Kleopatra, but did not see those options at the home menu.
joh
In the first post, you said you are using Mint 22 Cinnamon which comes with Passwords and Keys pre-installed.
So I installed Kleopatra on my test system, and I see the steps are equivalent:
The pre-configured key server (keys.openpgp.org) won’t show us the key we are looking for, so we need to set another key server. First, click on Settings and choose Configure Kleopatra:
Directly on the top of the new window, enter hkps://pubkeys.intevation.de in the field OpenPGP keyserver:
Confirm with the OK button
Click on Lookup on Server:
Enter the fingerprint in the search input field, click Search and you’ll see one item in the list:
Select it, and click on the Import button on the bottom right.
Now Kleopatra shows you that one imported certificate exists:
For the file signature verification, let’s click the big Decrypt/Verify button:
In the newly opened window, select the signature file and click Open:
In the results window you see some textual output:
It shows that the file has 3 signatures in total, whereas two of them could not be checked, and one of them is from Thomas Voegtlin, whose certificate we have previously downloaded to check his signature.
In Linux Mint 22 Cinnamon in Downloads directory with fresh downloads of both files, I have installed the programs that are indicated. Then, I ran this:
gpg --verify electrum 4.5.5.-x86_64.AppImage.asc
The cursor flashed about 5 times and stayed not flashing, and there was nothing printed on the screen.
Why don’t you use Kleopatra, which you preferred in the first place?
It’s unclear which command you executed, gpg --verify electrum 4.5.5.-x86_64.AppImage.asc or gpg --verify electrum 4.5.5.-x86_64.AppImage. The first one is the correct one.
Please copy & paste the full input and output of the terminal or a screenshot of it.
I prefer to use Kelo. I will review the multiple instructions that I have printed for doing with Kleopatra.
I will save screenshots to make a complete record for you. I am still at the stage of missing a hyphen or period when I sometimes write commands and addresses rather than C&P.
Thank you for your help. Everything I have tried has come to a screen that did not follow the example. I had previously used this, but it did not work. I did it very carefully, making sure all the files were accessible to it and it worked the first time. Please tell me the proper way to close this topic.
joh
It ain’t pretty, but if you’re in a hurry to install something and can’t get signatures to work, make some forum posts on the Electrum website (I assume there’s a forum?) asking “what is the correct sha256sum for $(the installer file you downloaded)”. Other people who have been able to verify it after download will post the sha256sum’s the’ve got for it, if your sha256sum (“sha256sum filename.extension” in terminal) matches their’s then your file matches theirs and therefore your file cannot have been corrupted or tampered with. Well done on escaping Windows land, I did so when M$oft produced the gwx malware in 2015/16 as their “get Windows X” campaign and never looked back. Mint is a great choice for former Windows users.
