|
Title: verifying file signatures Post by: QuantumFoam on April 20, 2013, 09:15:12 PM I am a newbie with verifying signatures, but am trying to follow the instructions on your download page. I'd like to verify the windows files and the linux ones for my offline machine.
I attempted verification with the windows files on a linux machine via the following steps: 1) gpg --recv-keys --keyserver keyserver.ubuntu.com 2) sudo apt-get install dpkg-sig 3) gpg --verify armory_0.88.1-beta_sha256sum.txt.asc armory_0.88.1-beta_win32.msi This does not appear to work. I get "gpg: not a detached signature" For the linux files, I did steps 1 and 2 as above, and with step 3: dpkg-sig --verify *.deb In the folder the offline files uncompressed into. It checked all the deb but only reported Processing armory_0.88-beta_amd64.deb... GOODSIG _gpgbuilder For that .deb. The rest of the debs it just said Processing but never had a GOODSIG line. Is this expected behavior? Title: Re: verifying file signatures Post by: etotheipi on April 20, 2013, 09:23:04 PM I am a newbie with verifying signatures, but am trying to follow the instructions on your download page. I'd like to verify the windows files and the linux ones for my offline machine. I attempted verification with the windows files on a linux machine via the following steps: 1) gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223 2) sudo apt-get install dpkg-sig 3) gpg --verify armory_0.88.1-beta_sha256sum.txt.asc armory_0.88.1-beta_win32.msi This does not appear to work. I get "gpg: not a detached signature" For the linux files, I did steps 1 and 2 as above, and with step 3: dpkg-sig --verify *.deb In the folder the offline files uncompressed into. It checked all the deb but only reported Processing armory_0.88-beta_amd64.deb... GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1366309670 For that .deb. The rest of the debs it just said Processing but never had a GOODSIG line. Is this expected behavior? Okay, I guess need to update those instructions. "Detached signatures" would look like this: armory_win32.msi armory_win32.msi.sig Then your command-line would work, because the .sig file explicitly contains the signature of only the .msi file. But I didn't make a detached signature. I simply hashed all the installers, listed them in the .asc file, and signed that file. Here's what the file looks like: Code: -----BEGIN PGP SIGNED MESSAGE----- So, there's two steps to verification: (1) Execute "sha256sum armory_0.88.1-beta_win32.msi" from the command line. Compare it to the contents of the .asc file, make sure it matches (2) Verify the signature of the .asc file: "gpg -v armory_0.88.1-beta_sha256sum.txt.asc" Note: for your question about the debian package, I highlighted the important part of your post. You successfully verified the .deb signature. This is useful for just downloading the .deb and verifying it before you install it. But in the case of the offline bundle, I don't sign all the packages because I only created one of them. Instead, you should follow the procedure I just explained for the .msi files, but for the appropriate tar.gz file. Title: Re: verifying file signatures Post by: QuantumFoam on April 20, 2013, 09:35:16 PM Understood, thanks for the fast reply!
I was able to verify the msi file now. The signature asc file checked out good, but warned about it not being certified with a trusted signature. Not sure if I missed a step somewhere in that process. If not, it looks like everything is good to go. Thanks for the information. Title: Re: verifying file signatures Post by: etotheipi on April 20, 2013, 09:39:07 PM Understood, thanks for the fast reply! I was able to verify the msi file now. The signature asc file checked out good, but warned about it not being certified with a trusted signature. Not sure if I missed a step somewhere in that process. If not, it looks like everything is good to go. Thanks for the information. Yeah, that's GPG being pedantic. It doesn't truly trust a signature unless the GPG key has been explicitly set as "Fully Trusted", or it is signed by another GPG key that is "Fully Trusted." It's trying to encourage the whole Web-of-Trust thing, where everyone signs everyone else's keys to help prevent man-in-the-middle attacks. But the web-of-trust thing never hit critical mass. Though in small community's like ours, maybe the major developers should make some effort to do this... Title: Re: verifying file signatures Post by: etotheipi on April 21, 2013, 02:42:53 PM By the way, there is a problem with downloads. I had accidentally mixed the architectures. I reuploaded them last night. If you had problems, try downloading again. It should be correct now.
|