Bitcoin Forum

Bitcoin => Armory => Topic started by: minerr on January 24, 2014, 05:34:00 PM


Title: Issues with "Verifying Source Code Authenticity"
Post by: minerr on January 24, 2014, 05:34:00 PM
I'm trying to verify the source code from Armory, and am getting errors.  Any help would be appreciated.  Please see the steps below for what I
 have done to this point.

Steps

Code:
git clone git://github.com/etotheipi/BitcoinArmory.git

Code:
cd BitcoinArmory

Code:
gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223

Output from the above command

Code:
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" 6 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:         new signatures: 6

Next Steps

Code:
git tag -v v0.90-beta

Output from the above command

Code:
tagger Armory Technologies, Inc <support@bitcoinarmory.com> 1385490661 -0500

RAM-Reduction, Backup Center & Msg Signing
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>"
gpg:                 aka "Alan C. Reiner (Armory Signing Key) <etotheipi@gmail.com>"
gpg:                 aka "Alan C. Reiner (Armory Signing Key) <alan.reiner@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Obviously, I'm doing something wrong, since there's a warning message above.  Can anyone help me please?

OS
Ubuntu 12.04

Thank you in advance!

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: goatpig on January 24, 2014, 07:33:31 PM
Quote
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" 6 new signatures
gpg: no ultimately trusted keys found

gpg: no ultimately trusted keys found

This is the line you care about. You have to up the trust leve of Alan's offline key yourself

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: minerr on January 24, 2014, 08:20:57 PM
Thank you for the help.  I appreciate it.

When you say, "you need to up the trust level" what exactly does that mean?  Can you point me in the right direction for upping the trust level?

Thanks Again!

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: goatpig on January 24, 2014, 11:24:12 PM
http://www.gnupg.org/gph/en/manual.html

Checkout the "Trust in a key's owner" section

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: etotheipi on January 25, 2014, 12:01:30 AM
Quote from: minerr on January 24, 2014, 08:20:57 PM
Thank you for the help.  I appreciate it.

When you say, "you need to up the trust level" what exactly does that mean?  Can you point me in the right direction for upping the trust level?

Thanks Again!

Since GPG has no certificate authorities who check IDs, GPG is especially paranoid about making sure you trust the source of the public keys.  The idea was to have a huge web of trust of people checking each others' IDs, so that you always have a trusted signature on a new key for someone you don't know.  If there are no trusted signatures, then it complains that it doesn't trust it, and it could've been replaced by an attacker's key.  Or rather, before it trusts it, you have to explicitly tell GPG that you trust it and have verified it's the correct key. 

Of course you don't know that for sure, except that it would've been tough for an attacker to replace all instances of the key and fingerprints you are exposed to, and all the downloads/installers that are signed with it.  In general, for most users, getting the key from the keyserver is sufficient.  If you are holding millions of dollars and consider yourself to be a target, you might do more paranoid checks.

So the real answer to your question is:  you actually already did it.  It says:

Quote
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>"
...

It verifies the signature matches the key, it's just complaining that you've done nothing to identify you actually trust that key.  If you want to set the trust explicity, you can do so from the command line:

Code:
$ gpg --edit-key 98832223
...
gpg> trust
...
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: minerr on January 25, 2014, 10:19:26 PM
Thank all of you that cleared this up.  Your replies were all a huge help.

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: oakpacific on January 27, 2014, 05:00:58 AM
I always feel uneasy about the fact that so much money managed with Armory has to depend on some keyservers working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authentication ::)

Title: Re: Issues with "Verifying Source Code Authenticity"
Post by: goatpig on January 27, 2014, 05:35:43 AM
Quote from: oakpacific on January 27, 2014, 05:00:58 AM
I always feel uneasy about the fact that so much money has to depend on MIT's server working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authetication ::)

Sounds like a job for Namecoin!


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines