Title: Issues with "Verifying Source Code Authenticity" Post by: minerr on January 24, 2014, 05:34:00 PM I'm trying to verify the source code from Armory, and am getting errors. Any help would be appreciated. Please see the steps below for what I
have done to this point. Steps Code: git clone git://github.com/etotheipi/BitcoinArmory.git Code: cd BitcoinArmory Code: gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223 Output from the above command Code: gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com Next Steps Code: git tag -v v0.90-beta Output from the above command Code: tagger Armory Technologies, Inc <support@bitcoinarmory.com> 1385490661 -0500 Obviously, I'm doing something wrong, since there's a warning message above. Can anyone help me please? OS Ubuntu 12.04 Thank you in advance! Title: Re: Issues with "Verifying Source Code Authenticity" Post by: goatpig on January 24, 2014, 07:33:31 PM Quote gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" 6 new signatures gpg: no ultimately trusted keys found gpg: no ultimately trusted keys found This is the line you care about. You have to up the trust leve of Alan's offline key yourself Title: Re: Issues with "Verifying Source Code Authenticity" Post by: minerr on January 24, 2014, 08:20:57 PM Thank you for the help. I appreciate it.
When you say, "you need to up the trust level" what exactly does that mean? Can you point me in the right direction for upping the trust level? Thanks Again! Title: Re: Issues with "Verifying Source Code Authenticity" Post by: goatpig on January 24, 2014, 11:24:12 PM http://www.gnupg.org/gph/en/manual.html
Checkout the "Trust in a key's owner" section Title: Re: Issues with "Verifying Source Code Authenticity" Post by: etotheipi on January 25, 2014, 12:01:30 AM Thank you for the help. I appreciate it. When you say, "you need to up the trust level" what exactly does that mean? Can you point me in the right direction for upping the trust level? Thanks Again! Since GPG has no certificate authorities who check IDs, GPG is especially paranoid about making sure you trust the source of the public keys. The idea was to have a huge web of trust of people checking each others' IDs, so that you always have a trusted signature on a new key for someone you don't know. If there are no trusted signatures, then it complains that it doesn't trust it, and it could've been replaced by an attacker's key. Or rather, before it trusts it, you have to explicitly tell GPG that you trust it and have verified it's the correct key. Of course you don't know that for sure, except that it would've been tough for an attacker to replace all instances of the key and fingerprints you are exposed to, and all the downloads/installers that are signed with it. In general, for most users, getting the key from the keyserver is sufficient. If you are holding millions of dollars and consider yourself to be a target, you might do more paranoid checks. So the real answer to your question is: you actually already did it. It says: Quote gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223 gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" ... It verifies the signature matches the key, it's just complaining that you've done nothing to identify you actually trust that key. If you want to set the trust explicity, you can do so from the command line: Code: $ gpg --edit-key 98832223 Title: Re: Issues with "Verifying Source Code Authenticity" Post by: minerr on January 25, 2014, 10:19:26 PM Thank all of you that cleared this up. Your replies were all a huge help.
Title: Re: Issues with "Verifying Source Code Authenticity" Post by: oakpacific on January 27, 2014, 05:00:58 AM I always feel uneasy about the fact that so much money managed with Armory has to depend on some keyservers working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authentication ::)
Title: Re: Issues with "Verifying Source Code Authenticity" Post by: goatpig on January 27, 2014, 05:35:43 AM I always feel uneasy about the fact that so much money has to depend on MIT's server working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authetication ::) Sounds like a job for Namecoin! |