Re: [GUIDE] How to Safely Download and Verify Electrum [Guide]

Quote from: DireWolfM14 on Today at 03:22:12 PM

Quote from: NotATether on Today at 03:12:10 PM

I believe that verifying the key does not require your own key (and hence password) either - at least on command-line (I once verified a message from someone else's public key without my own key, but maybe I'm misremembering. I do know that you have to set the key to be trusted while importing it though.

Partially correct: You won't be able to certify (sign) another persons key without your own, but you can indeed verify signed messages without your own key pair. Technically you don't even need to download the public signing key. The results will indicate that the message was signed by xyz key, but also mention that they key is unknown or unavailable. As long as you're willing to confirm that key xyz is they key you expected to have signed the message you don't actually need any keys in your keyring.

Setting a key to trusted shouldn't normally be done if you don't actually trust it. There are various trust levels and PGP does ask you about the level of confidence you have that this key actually belongs to the person (name and email) provided.

This is necessary to create PGP's web of trust.