Yes. The "asc" is the (detached) signature.

The hardest part is verifying the public key but most people just skip that lol

Natalia

Imported the key, also there are other devs are listed on the site.

Good, I think using Github as the source of trust is okay. But remember: the more sources that say that this is indeed the correct key, the better!

one thing really strange is that when I tried this again, it says

Mhh, and you are sure you didn't (remove) the file? Did you run 

If the software you downloaded was signed, then you don't need separate hashes. The signature contains the hash to verify integrity. I can tell from your comment that this is the case for Electrum since the signature is named 

Sparrow Wallet was just a special case where not the software was signed but the hashes. Then you need to run another command (

sha256sum --check <hashfile> --ignore-missing

I mentioned that I don't know why Craig did it like this, I only had an educated guess:

So what we just did was to basically verify the authenticity and integrity of the file that contained the hashes for all binaries with 

. When the hashes could be trusted, we could use them to make sure that the software was not tampered with. But why not simply provide a digital signature for the binary itself?

I actually don't know. But my educated guess is that it's related to convenience. Instead of providing a signature for every binary, the hashes are signed. Using 

 then simply ignores all files that don't exist. So I am basically guessing that there is no way to do something similar with digital signatures. Maybe someone knows more?

crypto

The Curious Case of Digital Signatures

> 1. found the public key from https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc
>
> Imported the key, also there are other devs are listed on the site.

Good, I think using Github as the source of trust is okay. But remember: the more sources that say that this is indeed the correct key, the better!

> one thing really strange is that when I tried this again, it says
>
> ```
> gpg: can't open 'electrum-4.5.3.dmg.asc': No such file or directory
> 
> gpg: verify signatures failed: No such file or directory
> ```

Mhh, and you are sure you didn't (remove) the file? Did you run `gpg --verify` in the correct folder?

> 3. I can't find the SHA256 to continue 😳

If the software you downloaded was signed, then you don't need separate hashes. The signature contains the hash to verify integrity. I can tell from your comment that this is the case for Electrum since the signature is named `electrum-4.5.3.dmg.asc` and the software is in `electrum-4.5.3.dmg`.

Sparrow Wallet was just a special case where not the software was signed but the hashes. Then you need to run another command (`sha256sum --check <hashfile> --ignore-missing`) to verify the software.

I mentioned that I don't know why Craig did it like this, I only had an educated guess:

> **Conclusion**
>
> So what we just did was to basically verify the authenticity and integrity of the file that contained the hashes for all binaries with `gpg --verify`. When the hashes could be trusted, we could use them to make sure that the software was not tampered with. But why not simply provide a digital signature for the binary itself?
>
> I actually don't know. But my educated guess is that it's related to convenience. Instead of providing a signature for every binary, the hashes are signed. Using `sha256sum --check` with `--ignore-missing` then simply ignores all files that don't exist. So I am basically guessing that there is no way to do something similar with digital signatures. Maybe someone knows more?