electrum icon indicating copy to clipboard operation
electrum copied to clipboard

Published 20 hours ago verified publisher icon spesmilo

GPGTools on macOS shows signature checks of aggregated file without scrollbar

Open aschmutt opened this issue 2 years ago • 6 comments

I downloaded latest Electrum Release (4.2.1) for MacOS from the homepage and verified the signature. https://electrum.org/#download

But then I got this error: Bildschirmfoto 2022-05-13 um 11 35 18

Then I checked the signature and got this:

Bildschirmfoto 2022-05-13 um 11 32 32

Question is: did you get hacked, or did you forget to update Download Page with new Signature Files?

aschmutt avatar May 13 '22 09:05 aschmutt

Hi, not sure what program you are using to check, but this is what command-line gpg outputs:

$ gpg --verify electrum-4.2.1.dmg.asc 
gpg: assuming signed data in 'electrum-4.2.1.dmg'

gpg: Signature made Sun 27 Mar 2022 17:31:59 BST
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) <[email protected]>" [unknown]
gpg:                 aka "Stephan Oeste (Master-key) <[email protected]>" [unknown]
gpg:                 aka "Emzy E. (emzy) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9EDA FF80 E080 6596 04F4  A76B 2EBB 056F D847 F8A7
     Subkey fingerprint: 637D B1E2 3370 F84A FF88  CCE0 3152 347D 07DA 627C

gpg: Signature made Sun 27 Mar 2022 14:55:54 BST
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <[email protected]>" [ultimate]

gpg: Signature made Sun 27 Mar 2022 06:57:04 BST
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>" [unknown]
gpg:                 aka "ThomasV <[email protected]>" [unknown]
gpg:                 aka "Thomas Voegtlin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

The signature file contains signatures from three different keys/people.

SomberNight avatar May 13 '22 12:05 SomberNight

I used GPG Suite with OpenPGP on Mac: right click and verify => then comes the error message from my first post. So obviously it checks only the first entry, not all three of them. The solution would be to add all 3 signatures to the Downloads Page?

Bildschirmfoto 2022-05-13 um 16 15 21 Bildschirmfoto 2022-05-13 um 16 11 32

On commandline it recognizes the Signature of ThomasV correctly: Bildschirmfoto 2022-05-13 um 16 18 55

aschmutt avatar May 13 '22 14:05 aschmutt

The solution would be to add all 3 signatures to the Downloads Page?

Right... that was what we were doing previously, which had its own issues: https://github.com/spesmilo/electrum/issues/7579 In fact, the main reason we changed to a single aggregated sigfile was that it is supposed to work better with GUI verifiers such as what you are using. :/

I've tested with Kleopatra (+gpg4win) on Windows, and when double-clicking the .asc file, it verifies all three signatures as expected.

I used GPG Suite with OpenPGP on Mac: right click and verify => then comes the error message from my first post. So obviously it checks only the first entry, not all three of them.

That's not so obvious to me -- could it be that it checks all of them but if any errors, it shows that error?

SomberNight avatar May 13 '22 15:05 SomberNight

@ecdsa should we maybe hack the order of the sigs in the aggregated signature file so that yours comes first?

https://github.com/spesmilo/electrum-web/blob/d91a7cb5e6b83d13a290d2f0beca9014b498c25f/deploy.sh#L64-L65

SomberNight avatar Aug 11 '22 09:08 SomberNight

@ecdsa should we maybe hack the order of the sigs in the aggregated signature file so that yours comes first?

how would that help?

ecdsa avatar Aug 11 '22 09:08 ecdsa

Based on OP's screenshot, I expected GPGTools to verify the sigs in order and display the first error. The source of confusion for some users is that they expect your signature, so if the error they get mentions some other key, apparently they freak out. (see present issue, this one, and e.g. this reddit thread)

However, I have now tested myself, and this is not the whole story...

This is what I am presented with when using GPG_Suite-2022.01.dmg (from https://gpgtools.org) on macOS 10.15. Note the scrollbar! And note that the scrollbar is missing in OP's image.

pic1

pic

Upon re-reading https://github.com/spesmilo/electrum/issues/7872#issuecomment-1170020147 , note that the user mentions being able to scroll but implying there being no scroll bar...

Here is the expanded window:

pic2

pic2

So GPG_Suite/GPGTools shows results for all signatures, in order, but the default window size is exactly as large that only one signature-check fits, and that apparently there is no scroll bar for some users.

SomberNight avatar Aug 11 '22 10:08 SomberNight