Off topic - GPG verification about monero-wallet-generator HOT 14 CLOSED

from monero-wallet-generator.

What gives? Please advise.

gpg --verify monero-wallet-generator.html.asc
gpg: assuming signed data in `monero-wallet-generator.html'
gpg: Signature made Sat 04 Feb 2017 02:02:33 AM PST using RSA key ID 4D6CEFC3
gpg: Good signature from "moneromooo-monero [email protected]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3

from monero-wallet-generator.

My Issue is similar. The signature verifies, but I get "WARNING: This key is not certified with a trusted signature!"

Is this a security concern?

(P.S Thankyou for making this OWG!)

$ gpg --verify monero-wallet-generator.html.asc
gpg: assuming signed data in 'monero-wallet-generator.html'
gpg: Signature made Sat 04 Feb 2017 05:02:33 AM EST
gpg: using RSA key 686F07454D6CEFC3
gpg: Good signature from "moneromooo-monero [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 48B0 8161 FBDA DFE3 93AD FC3E 686F 0745 4D6C EFC3

from monero-wallet-generator.

same here

from monero-wallet-generator.

twimcacca, blockmeister9, Tahutipai, I believe that the user doing the verifying has to use gpg to certify that the moneromooo's key is genuine/trusted. Then you won't get that message.

Verfifying Signatures, etc.

In other words, if you have no clue who moneromooo is, you would not want to assign ultimate trust for example.

from monero-wallet-generator.

@twincacca @blockmeister9 @Tahutipai As long as you "good signature" as you do in this line:

gpg: Good signature from "moneromooo-monero [email protected]" [unknown]

The "WARNING: This key is not certified with a trusted signature" refers only to your local "trust database". This is where you say how well you trust that the key belongs to the person in question. This isn't something necessary for this kind of use case, so as long as you see "Good signature", then you are able to use the download safely.

from monero-wallet-generator.

This is correct, those warnings are expected. As long as you get the "Good signature" message from the correct key, then you're good. Note that the correct key is determined by its fingerprint, and NOT by the email claimed, as anyone can make a key with any email attached.

from monero-wallet-generator.

Great, thankyou. May I suggest it may be beneficial to update the instructions at the bottom of the wallet generator page to include expectation of this message? Esp. for those new to the process.

As it presently stands, if a new user follows the described process verbatim, then the user receives what appears to be, but is not, an error message of concern. (especially as we are dealing with funds here)

P.S Thankyou for making this!

from monero-wallet-generator.

Good idea, I've just done this.

from monero-wallet-generator.

Hi - Total novice in this area so forgive me if I'm coming at this in the wrong way.

I'm following the same procedure as above using Git BASH for Windows to verify the signature. As above no issues with the import of the GPG key; key and address all look fine on the face of it.

My problem is that I actually get a BAD signature returned based on the latest update, even though the RSA Key ID appears to match.

Am I missing something? Or is it genuinely an issue that I am pulling up the Bad Signature?

from monero-wallet-generator.

@gravypig I haven't done it via Git BASH on Windows before. Should just need something like Kleopatra (GPG4win) and just load the file + sig in there (doesn't specifically need to be done via Git). An example of what it should look like via my linux though (pulling latest update, verifying signature, and then giving you the sha256sum to verify another way):

:: [stephen@laptop] ~/projects/monero-wallet-generator [git:master]
$ git pull
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10 (delta 3), reused 10 (delta 3), pack-reused 0
Unpacking objects: 100% (10/10), done.
From https://github.com/moneromooo-monero/monero-wallet-generator
   c04a4e8..da2e7d9  master     -> origin/master
Updating c04a4e8..da2e7d9
Fast-forward
 monero-wallet-generator.html     | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 monero-wallet-generator.html.asc | 27 +++++++++++++--------------
 2 files changed, 73 insertions(+), 17 deletions(-)
:: [stephen@laptop] ~/projects/monero-wallet-generator [git:master]
$ gpg --verify monero-wallet-generator.html{.asc,}
gpg: Signature made Mon 18 Sep 2017 20:10:30 ACST
gpg:                using RSA key 686F07454D6CEFC3
gpg: Good signature from "moneromooo-monero <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 48B0 8161 FBDA DFE3 93AD  FC3E 686F 0745 4D6C EFC3
:: [stephen@laptop] ~/projects/monero-wallet-generator [git:master]
$ sha256sum monero-wallet-generator.html
c4d7725e88d583e472f3ea3d93ea1f5a9d60abb4155258eb21ebcf6e9760670b  monero-wallet-generator.html

from monero-wallet-generator.

Thanks for the quick reply @stevesbrain - I tried GPG4WIN before moving on to GitBASH, but it didn't seem to recognise the signature file at all so in the end I abandoned the attempt.

As it happens since yesterday I have managed to kind of figure out my problem - I wasn't downloading all the original files direct from the github (specifically the html file).

Previously I was saving the wallet generator html file direct from the following web address -https://moneroaddress.org - and then downloading the signature file from github, which was then returning a BAD signature.

I can only assume someone has taken an early version and dropped it in there, but not updated it to the latest version so now the signatures dont match. Either that or its not legit...

Anyway, all sorted now, thanks again much appreciated!

from monero-wallet-generator.

@gravypig No worries - glad you got it all sorted :) Likely the moneroaddress.org link hasn't been updated with the latest file. You could probably grab an old signature from github to check it against if you were curious to see if indeed it wasn't legit!

from monero-wallet-generator.

Hi, You do not need to run gpg as root. The filename must be the same as the asc file, minus the ".asc". The file must be saved EXACTLY. No extra newlines, no Windows CR/LR changes, etc.
…

Thank you! The CR/LR changes by git on Windows may have been causing issues in my case, which I solved by downloading the code .zip file instead of using git clone https://github.com/moneromooo-monero/monero-wallet-generator

from monero-wallet-generator.