Electrum: ecdsa's releases have 'unverified' warning

This should be easy enough to fix: https://github.com/blog/2144-gpg-signature-verification

I have verified ecdsa’s key. And that he is an actual person.

Fyookball is probably an ok guy, I have talked to him on irc a few times, but if you think having the word “verified” next to it makes it secure, you have a sore misunderstanding of how GPG works.

“Verified” just means “Github saw someone logged into ecdsa upload a public key with that fingerprint.”

I could “verify” satoshi’s gpg key with my account. They don’t require a signature to verify.

But ok, I understand “not scaring people” is a good idea so ecdsa uploading his pubkey is probably a good idea.

But if someday a verified signed binary by ecdsa steals bitcoin. You know who to sue.

If fyookball signs a BCH stealing binary. Woops, nowhere to be found! He was a nice chap until he wasn’t anymore. No stake at all behind his work.

https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

Obviously you shouldn’t trust MIT blindly, but I have personally verified fingerprints of 3 people that have signed Thomas’s key. Which is the “unverified” one.

All I know is if the hackers can make an illusion of trust,
then at least the real people should be able to do so as well.
I.e., all green lights all the way. No security warnings popping up.

@jidanni , a "trusted signature" is a one you personally verify.

Generally, deterministic builds are the best assurance that the code on github is the same as the executable. A great value to both projects. Thanks @ecdsa and @bauerj. Probably more people should be educated about that and build them.

@dabura667 , generally agree with your comments but just because a developer has appeared in public doesn't really tell you for sure that they are using their real name/address, etc. A publicly known dev is no guarantee of anything, although I would agree its a plus.

Ah, no wonder. @ecdsa never saw any warning!

GitHub Staff support@github.com writes:
Hey Dan,

If the tag is signed with a valid signature, we should show a 'verified` message but we wouldn't show a warning if a tag isn't signed.

I can pass your request onto our team to consider.

I can't promise if or when we'd add this but I'll for sure pass it on.

Thanks
Sean

Dear GitHub,

Do developers see some kind of warning when making releases but with
unverified signatures?

I don't know as I have never made a release.

If not, then GitHub should print a warning to the developer: "Your signature is not verified!"
And maybe even not allow making the release.

I'll post your reply on
https://github.com/spesmilo/electrum/issues/3741

Thanks!

After reading https://electrum.org/bcc2.txt one would think the author would think signatures are important.

All Electrum releases are cryptographically signed.

@bauerj yes but they have Unverified warnings.

@jidanni It's because those are not the releases that are signed. You should download the releases from electrum.org, not github.

OK, but some people might think "I'll download from GitHub. I've had bad
luck in the past clicking on random websites, even if their name looks
all ASCII."

Also users think "The website version is signed, but it is based on the
GitHub version, which is unsigned!" (Or signed, but with an unverified
signature.)

(Before hand, check Thomas’s GPG key (which everyone MUST DO to verify validity of any binary from anywhere))

git clone
cd electrum
git verify-tag v3.0.2
(GPG will check if the signature is valid)
git checkout v3.0.2
(Then install as normal)

Replace with whatever tag you want.

Github showing “Verified” or “Unverified” should NOT be important.

We want all users to verify for themselves, if Github says “Verified” then most users will trust Github.

But the problem is that Github’s “Verified” mark only verifies that the public key is one that ecdsa uploaded (you have to trust Github that this is true) and that they verified the signature as matching the uploaded key (you have to trust Github actually verified the signature)

If you are downloading Github binaries without actually verifying the gpg signatures for yourself, you are in more danger than someone who downloads the binary from electrum.org.

I uploaded my public key to github today, so it shows verified