Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Electrum
Merits 2 from 2 users
Re: [GUIDE] How to Safely Download and Verify Electrum [Guide]
by
pooya87
on 27/04/2021, 07:26:12 UTC
⭐ Merited by NotATether (1) ,JayJuanGee (1)
Quote from: NotATether on Today at 07:01:50 AM
Quote from: BlackHatCoiner on April 26, 2021, 08:09:08 PM
Quote from: DireWolfM14 on April 15, 2020, 02:47:17 AM
Once installation is completed, and Kleopatra launches I recommend you create a private key.
Why would you recommend me to create a private key? Note that this can be very confusing for a newbie. Do I need a private key for the certification of Thomas' identity or is it just recommended after all?

You don't need a private key or to certify anything to verify stuff, the certify process is only to remove the bogus "This key is not trusted" warnings. Some suites may not even display it at all (GPGtools does insist on making a keypair though, I wonder if you can skip that part).
They whole point of using PGP keys to sign stuff for others to verify them is to utilize the Web of Trust which is the correct way of using PGP too. That warning is mandatory (it is not bogus, and should not be hidden) since it is telling you that you have forgotten a very important step in verifying digital signatures which is to first import a trusted public key the correct way not just copy it from the internet without putting much thought into it.

By adding the public key of the signer and adding it to your trusted keys (you should have your own key here) you are confirming that you DO actually trust this public key.
Otherwise a malicious attacker can create a fake software, a fake public key and a valid signature with that fake public key. An unaware user downloading all 3 from the same place would see a valid signature but has a fake/malicious software.