|
Title: Bad signature for *.deb files in bitcoinarmory.com Post by: darkice on March 04, 2016, 09:38:34 AM I was unable to verify .deb files from bitcoinarmory.com
Processing armory_0.93.3_ubuntu-64bit.deb... BADSIG _gpgbuilder How can we securely download and verify the latest version ? Thank you. Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: unamis76 on March 04, 2016, 11:28:57 AM Armory is changing hands. We are not sure who is running bitcoinarmory.com anymore. goatpig is now the sole developer, you can download Armory here (https://github.com/goatpig/BitcoinArmory/releases/)
Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: achow101 on March 04, 2016, 11:31:38 AM Did you follow the verification instructions at http://www.bitcoinarmory.com/download/? Make sure you have imported Alan's signing key.
Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: darkice on March 04, 2016, 04:22:32 PM Got it thank you;
Also cross checked with the github 9.3.3 repo and ended up compiling from source. I sign offline but I am still paranoid about it. Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: goatpig on March 04, 2016, 04:35:05 PM Armory has never had a signed .deb afaik. Our signing process has always been to create the packages, get the sha256 hash, and offline sign those. Think about it, it's a pain to setup a purely offline machine that can build the entire package, let alone do this for all supported OS. It's simpler to offline sign the package hash.
Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: micalith on May 20, 2016, 03:46:31 PM What if you're not comfortable compiling from source yourself?
I downloaded the latest version as suggested by knightdk, and when I run the verify: $ dpkg-sig --verify *.deb it outputs the folowing: Processing armory_0.94.0_amd64.deb... I'm probably too much of a noob to figure out how all this isn't disconcerting Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: goatpig on May 20, 2016, 04:27:13 PM Armory uses the same package verification process as Bitcoin Core:
1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt) 2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: micalith on May 20, 2016, 05:49:27 PM 1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt) 2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file Thanks. I'm sorry, but I'm still a bit confused about the procedure. I've downloaded the sha256sum file as you've instructed, but can't find your public key. Would that be something equivalent to Alan's key ID '98832223'? i.e. would I enter the following? Code: $ gpg --recv-keys --keyserver keyserver.ubuntu.com **your key ID** Title: Re: Bad signature for *.deb files in bitcoinarmory.com Post by: goatpig on May 20, 2016, 06:13:19 PM https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys
You can find my key here. |