Trouble verifying downloaded files (Amory Offline Bundle) in Ubuntu

[W2014]

Hi,

I'm trying to verify the keys for Version 0.90-beta Offline Bundle for Ubuntu/Debian 12.04-32bit.

I've followed these instructions:

To verify in Linux, “cd” to the directory containing the installer (usually Downloads), download and import the Armory signing key from the ubuntu key-server, install the signature verification program, and then use it verify the signatures on the *.deb files:
   
1. $ cd Downloads   # the directory containing the *.deb
2. $ gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
3. $ sudo apt-get install dpkg-sig
4. $ dpkg-sig --verify *.deb

I assume the above instructions include download of the "signature verification program", correct?

Here's what I get inputs/outputs for each of the steps:

Step 1:

ap@ap-K56:~$ cd Downloads   # the directory containing the *.deb
ap@ap-K56:~/Downloads$

Step 2:

ap@ap-K56:~/Downloads$ gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Step 3:

ap@ap-K56:~/Downloads$ sudo apt-get install dpkg-sig
[sudo] password for ap:
Reading package lists... Done
Building dependency tree      
Reading state information... Done
dpkg-sig is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 244 not upgraded.

Step 4:

ap@ap-K56:~/Downloads$ dpkg-sig --verify *.deb
E: Cannot find *.deb: no such file

Step 4 again adding "armory":

ap@ap-K56:~/Downloads$ dpkg-sig --verify armory*.deb
E: Cannot find armory*.deb: no such file

The armory offline bundle is saved in 'downloads' in Ubuntu.

Any idea what the problem is? Thanks in advance.

[picobit]

You have to run the last command in the directory where the .deb file is located.  You do not have to repeat the first three steps again.

[W2014]

You have to run the last command in the directory where the .deb file is located.  You do not have to repeat the first three steps again.

I thought that is exactly what I did: ran the command in the download directory where the BitcoinArmory file is located. I also tried moving the Armory File to the Home directory and had the same result. No luck.

Thanks

[etotheipi]

If your terminal is in the same directory as the .deb file, then you will not get that error. 

Are you downloading the correct file?  Does it have .deb extension?  You can verify if the file is in the directory by typing "ls" (that is L, S), and you should see it in the list that is printed.  cd your way into the directory where it is located and run the dpkg-sig command again.  You could try typing the full file name instead of "*.deb" but that really shouldn't make a difference.

[W2014]

I was finally able to verify the file.

I had to take these extra steps not outlined on the website:  

/Downloads cd armory_0.90-beta...OfflineBundle...12.04-32bit

/Downloads/armory_0.90-beta...OfflineBundle...12.04-32bit$ dpkg-sig --verify *.deb

This is the output:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1385490545

QUESTION: the last group of numbers is slightly different than the numbers on the Armory webpage:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1353699840

Is there any issue? I assume the numbers I got are for a different Offline bundle. Please advise.

Thanks for your help!!

[etotheipi]

I was finally able to verify the file.

I had to take these extra steps not outlined on the website:  

/Downloads cd armory_0.90-beta...OfflineBundle...12.04-32bit

/Downloads/armory_0.90-beta...OfflineBundle...12.04-32bit$ dpkg-sig --verify *.deb

This is the output:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1385490545

QUESTION: the last group of numbers is slightly different than the numbers on the Armory webpage:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1353699840

Is there any issue? I assume the numbers I got are for a different Offline bundle. Please advise.

Thanks for your help!!

Those last numbers are just a timestamp -- i.e. when the package was signed.  The example on the website is probably for a different package, which was signed at a different time.  It's nothing to be worried about. As long as the last 8-16 characters before it match what you expect, it's good.

The relevance of the timestamp is that one day in the future, I might lose control of that GPG private key.  If that happens, I would revoke the key, which should notify people not to trust anything signed from then forward.  ANything with an earlier timestamp would be safe, because you knew that the key was still secure at that point.

In practice, this is kind of useless without a trusted timestamp server, because the attacker could sign with any timestamp they want.  If you use a timestamp server, you can prove that the signature existed before the given timestamp.

[W2014]

Thanks for the response! 

[picobit]

If you use a timestamp server, you can prove that the signature existed before the given timestamp.

I hear the blockchain is useful for that kind of time stamping.