Title: Windows signature checking with cygwin Post by: TierNolan on December 19, 2013, 04:18:42 PM I was trying to check the windows signature with Cygwin and gpg.
Is this a reasonable process? "WARNING: This key is not certified with a trusted signature!" means I have to add trust roots or something? Http download of the .asc file is presumably ok, since that signature is checked anyway. ----------------------------------------------------------------------------------------------- gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223 gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/documentation/faqs.html for more information gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com gpg: /cygdrive/e/java_progs/eclipse_git/.gnupg/trustdb.gpg: trustdb created gpg: key 98832223: public key "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) wget http://s3.amazonaws.com/bitcoinarmory-releases/armory_0.90-beta_sha256sum.txt.asc file downloads - since I am checking sigs anyway, I assume http is fine? gpg --verify armory_0.90-beta_sha256sum.txt.asc gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/documentation/faqs.html for more information gpg: Signature made Tue, Nov 26, 2013 6:29:59 PM GMT using RSA key ID 98832223 gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" gpg: aka "Alan C. Reiner (Armory Signing Key) <etotheipi@gmail.com>" gpg: aka "Alan C. Reiner (Armory Signing Key) <alan.reiner@gmail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 821F 1229 36BD D565 366A C36A 4AB1 6AEA 9883 2223 sha256sum -c armory_0.90-beta_sha256sum.txt.asc | grep armory_0.90-beta_winAll.exe sha256sum: armory_0.90-beta_10.04_amd64.deb: No such file or directory sha256sum: armory_0.90-beta_10.04_i386.deb: No such file or directory sha256sum: armory_0.90-beta_12.04_amd64.deb: No such file or directory sha256sum: armory_0.90-beta_12.04_i386.deb: No such file or directory sha256sum: armory_0.90-beta_OSX.app.tar.gz: No such file or directory sha256sum: armory_0.90-beta_OfflineBundle_10.04-32bit.tar.gz: No such file or directory sha256sum: armory_0.90-beta_OfflineBundle_10.04-64bit.tar.gz: No such file or directory sha256sum: armory_0.90-beta_OfflineBundle_12.04-32bit.tar.gz: No such file or directory sha256sum: armory_0.90-beta_OfflineBundle_12.04-64bit.tar.gz: No such file or directory sha256sum: WARNING: 21 lines are improperly formatted sha256sum: WARNING: 9 listed files could not be read armory_0.90-beta_winAll.exe: OK Title: Re: Windows signature checking with cygwin Post by: goatpig on December 20, 2013, 08:09:22 PM The file is signed with Armory's offline key.
The .asc file carries the signature. As long as you verify this signature was made by Armory's offline key, it doesn't matter where you are pulling it from. Title: Re: Windows signature checking with cygwin Post by: TierNolan on December 21, 2013, 01:05:14 AM The file is signed with Armory's offline key. The .asc file carries the signature. As long as you verify this signature was made by Armory's offline key, it doesn't matter where you are pulling it from. That's what I thought, my main issue was this line "WARNING: This key is not certified with a trusted signature!" Is that just a warning that I have no trust roots or something. They signature is valid, but I haven't set that the public key is authentic? Title: Re: Windows signature checking with cygwin Post by: goatpig on December 21, 2013, 01:10:19 AM It means none of the keys you trust have signed the Armory offline key. If you pull the offline key locally and set its trust level higher, the warning will go off.
|