Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Electrum verifies signatures offline (https://github.com/spesmilo/electrum/blob/5ae2f30fa52ebcec37...). So the `fake server` theory is wrong.


OP here. After discussing this with a few people I updated the post to lay out some other possibilities.

It is true that Electrum verifies locally, and in this case it was simply used as a replacement for running openssl or an alternative.

You still need to verify the address and key, tho - and it isn't stated what the process was in this case.


Whence does it get the public key with which it verifies the signature? How is the public key verified?


That piece of code likely gathers all the key recovery candidates it can from the signature, hashes and tests each one against the hash in the address to find the correct key. Then it performs the verification. Obviously the verification would fail if none of the keys hash to the hash contained in the address.


I don't know how the public key has been obtained, but it's present in many places in the Internet (blockchain.info, blockr.io, etc..).




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: