GPG: Running "dpkg-sig --verify *.deb" does not output "GOODSIG _gpgbuilder"

[brancao]

Hi -

I am trying to upgrade to Armory 93.2 on Ubuntu 12.04 64-bit, on an online machine (ie, not using the Offline Bundle), following the instructions here:

https://bitcoinarmory.com/download/

(I prefer to do this manually via a terminal, rather than using the secure upgrade included in the Armory GUI.)

When doing the GPG verification, I run the following command:

Code:

dpkg-sig --verify *.deb

This produces only the following output:

Code:

> Processing armory_0.93.2_ubuntu-64bit.deb...

- ie, the output does not include the following line, which should have appeared according to the instructions:

Code:

> GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1353699840

Why is this line not appearing? It looks pretty important!

If this line doesn't appear, is there any way of being sure of the integrity of the downloaded *.deb file?

The only reason I am using Armory is because I am paranoid about security, so when this kind of inconsistency happens, it gets me worried.

I will have to delay my plans to start using Armory until a satisfactory explanation is provided of what is going on here.


Transcript:

Here is the full transcript of commands and outputs from my terminal session, running Ubuntu 12.04 (64-bit):

Code:

$ wget -c https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.93.2_ubuntu-64bit.deb
$ wget -c https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.93.2_sha256sum.txt.asc
$ wget -c https://bitcoinarmory.com/Alan-C.-Reiner-Offline-Signing-Key-alan@bitcoinarmory.com-0x98832223-pub.asc

$ ar vx armory_0.93.2_ubuntu-64bit.deb
x - debian-binary
x - control.tar.gz
x - data.tar.xz

$ ls -l
total 10552
-rw-rw-r-- 1 userx userx    9743 Oct 15 15:39 Alan-C.-Reiner-Offline-Signing-Key-alan@bitcoinarmory.com-0x98832223-pub.asc
-rw-rw-r-- 1 userx userx    1676 Jun  7 22:38 armory_0.93.2_sha256sum.txt.asc
-rw-rw-r-- 1 userx userx 5389722 Jun  7 22:36 armory_0.93.2_ubuntu-64bit.deb
-rw-r--r-- 1 userx userx   11042 Oct 15 16:57 control.tar.gz
-rw-r--r-- 1 userx userx 5378488 Oct 15 16:57 data.tar.xz
-rw-r--r-- 1 userx userx       4 Oct 15 16:57 debian-binary

$ gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$ sudo apt-get install dpkg-sig
[sudo] password for userx: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
dpkg-sig is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 999 not upgraded.

$ dpkg-sig --verify *.deb
Processing armory_0.93.2_ubuntu-64bit.deb...

$

Note (1):

The following link on stackexchange recommended running the 'ar vx' command, which also occurs in the above transcript.

https://bitcoin.stackexchange.com/questions/35840/verify-offline-bitcoin-bundle-on-ubuntu

In the transcript and file listing shown at the above link (involving an older version of Armory), a file '_gpgbuilder' is extracted.

However, in the current version of Armory, no  file '_gpgbuilder' is extracted.

I wonder if this file '_gpgbuilder' is necessary in order for the command 'dpkg-sig --verify *.deb' to work properly?

Note (2):

The download instructions mention that the offline signing key is "Also available on MIT PGP Public Key Server", at the following link:

http://pgp.mit.edu:11371/pks/lookup?search=bitcoinarmory+offline&op=index

This evidently gets translated from http to https when clicked on - ie, it goes here:

https://pgp.mit.edu:11371/pks/lookup?search=bitcoinarmory+offline&op=index

In my brower (Tor 5.0.3 / Mozilla Firefox), it went to a page saying:

   Secure Connection Failed

   An error occurred during a connection to pgp.mit.edu:11371.
   SSL received a record that exceeded the maximum permissible length.
   (Error code: ssl_error_rx_record_too_long)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

Is this something I should be worried about?

Note (3):

I can't get the tabs to work on the downloads page here:

https://bitcoinarmory.com/download/#tab-pre

https://bitcoinarmory.com/download/#tab-stable

I'm running Tor 5.0.3, and I allowed all scripts on the page.

Note (4):

The wording may be unclear (or the version numbers outdated) in this section:

"Offline bundles for Ubuntu 12.04 have been removed in 0.93.1 due to compatibility issues. Please use the offline bundles posted on the 0.92.3 tab, which is perfectly compatible when paired with an online computer using 0.93.1."

I want to use 0.93.2, so does anything in the above paragraph pertain to me?


Comment:

I assume the issues mentioned above are probably innocuous, perhaps due to instructions on the Armory website not being updated to keep in synch with latest software release, or perhaps due to problems at other websites such as pgp.mit.edu. (If so, is there some other website which can be used as an alternative instead of pgp.mit.edu, or some mirror?)

If I were merely installing some other software where security wasn't paramount, then I would of course ignore these probably minor issues and simply plunge ahead and start using the software.

However, the reason I chose to use Armory is because I want to be absolutely certain about security.

So I will unfortunately not be able to start using Armory if an apparently crucial confirmation message involving GPG fails to appear, or if a website involving GPG can't be displayed due to some problem apparently involving SSL. This is an exercise in security, not in expediency, so when something strange like this happens, it seems like it is imperative to put the installation on hold and report it and await further clarification.

I do understand that the Armory developers probably have much bigger things that they're dealing with - such as the crypto and security involved in the Python and C++ code of the Armory software itself.

But it's important to also make sure the instructions and links on the website are consistent and up-to-date. Otherwise all that great crypto software engineering might go to waste, if users get scared off by these unexpected GPG and SSL messages when trying to verify the integrity of the downloaded files, perhaps due to outdated instructions or bad links on the downloads page.

Thanks for any help!

[1714861639]

1714861639

[1714861639]

1714861639

[1714861639]

1714861639

[1714861639]

1714861639

[goatpig]

I'm not familiar with dpkg-sig so I can't really help you on that front. If you ask me, you already went through a lot of trouble, and considering you are performing this on an online machine, I would suggest that at this point you are better off simply building from source.

This of course does not respond as to why you can't get it to verify the signature. Usually these tools return some sort of message, whether it is BADSIG, GOODSIG, or complaining about the public key missing. This indicates there may be an issue with your setup. Could you try on another installation/machine. Like, boot from a Debian live and try there.

[achow101]

Note (1):

The following link on stackexchange recommended running the 'ar vx' command, which also occurs in the above transcript.

https://bitcoin.stackexchange.com/questions/35840/verify-offline-bitcoin-bundle-on-ubuntu

In the transcript and file listing shown at the above link (involving an older version of Armory), a file '_gpgbuilder' is extracted.

However, in the current version of Armory, no  file '_gpgbuilder' is extracted.

I wonder if this file '_gpgbuilder' is necessary in order for the command 'dpkg-sig --verify *.deb' to work properly?

I think those instructions are wrong now, since it seems like the deb file isn't signed. Instead, download the signed hash file and verify the signature of that file. Then take the sha256sum of the deb file and check that it matches.

Note (2):

The download instructions mention that the offline signing key is "Also available on MIT PGP Public Key Server", at the following link:

http://pgp.mit.edu:11371/pks/lookup?search=bitcoinarmory+offline&op=index

This evidently gets translated from http to https when clicked on - ie, it goes here:

https://pgp.mit.edu:11371/pks/lookup?search=bitcoinarmory+offline&op=index

In my brower (Tor 5.0.3 / Mozilla Firefox), it went to a page saying:

   Secure Connection Failed

   An error occurred during a connection to pgp.mit.edu:11371.
   SSL received a record that exceeded the maximum permissible length.
   (Error code: ssl_error_rx_record_too_long)

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

Is this something I should be worried about?

That link has :11371 which is for port 11371, which is for the PGP Key server port for software, not browsing. Remove that and you will be able to access the http page on the keyserver.

Note (3):

I can't get the tabs to work on the downloads page here:

https://bitcoinarmory.com/download/#tab-pre

https://bitcoinarmory.com/download/#tab-stable

I'm running Tor 5.0.3, and I allowed all scripts on the page.

Are you sure? Look very carefully, the only change is from 0.93.2 to 0.92.3 or vice versa.

Note (4):

The wording may be unclear (or the version numbers outdated) in this section:

"Offline bundles for Ubuntu 12.04 have been removed in 0.93.1 due to compatibility issues. Please use the offline bundles posted on the 0.92.3 tab, which is perfectly compatible when paired with an online computer using 0.93.1."

I want to use 0.93.2, so does anything in the above paragraph pertain to me?

No.

[brancao]

Hi GoatPig, I recall seeing your name here a few years back when I previously installed an earlier version of Armory and was testing it out, and I understand you are a dev on the project, thanks for your prompt replies here.

I'm not familiar with dpkg-sig so I can't really help you on that front.

I'm also not familiar with the specifics of dpkg-sig, but it sounds like it's probably a fairly standard debian-based tool for verifying the signatures of *.deb files.

This still leaves the question of why the instructions on the Armory website don't work. I suspect the instructions on the Armory website have gotten out-of-date, with respect to whatever is in the *.deb package for the current release (ie, file '_gpgbuilder' is apparently no longer included in the *.deb ?)

I would suggest that at this point you are better off simply building from source.

OK, I can try that approach, as I've done it for several other open-source software packages.

This indicates there may be an issue with your setup.

I didn't mention, but this is a dedicated Ubuntu 12.04 machine which will only be running Armory Online. The only stuff that's been installed on it is the dependencies for running bitcoin-qt and Armory.

(I also have another machine, identical hardware and OS, which I will be using for Armory Offline.)

Like, boot from a Debian live and try there.

I actually have yet another machine, identical hardware, but running Debian 8.0 (Jessye) which I use for my own development. I suppose I could try running the GPG verification stuff there as well.

Still I'm perplexed why the instructions on the site don't work.

I suspect something got out-of-date due to some change in a recent release. From the information mentioned at the stackexchange link from someone with a similar question involving the Offline Bundle for an earlier Armory release...
https://bitcoin.stackexchange.com/questions/35840/verify-offline-bitcoin-bundle-on-ubuntu

...it looks like the (Armory Online) *.deb file from that earlier release included a file '_gpgbuilder' which could be extracted using 'ar vx' and then the GPG verification would work as described in the instructions currently on the Armory download page.

So I think what's going on is that the Armory release changed at some point (to no longer include the file _gpgbuilder in the *.deb file to be extracted using 'ar vx'), but the Armory website download page still contains outdated instructions for GPG-verification, which used to work on earlier releases, but don't work on 0.93.2.

Thanks for the suggestions (building from source; doing GPG-verification on another OS such as Debian) - I'll try both of those. Since they're so different from the current approach, I expect one of them should work. I'll post results here later.

[brancao]

Hi knightdk, thanks for these suggestions.

I think those instructions are wrong now, since it seems like the deb file isn't signed. Instead, download the signed hash file and verify the signature of that file. Then take the sha256sum of the deb file and check that it matches.

Yeah I guess those instructions are wrong now.

This other method you suggest trying, I think that's actually how I did it a few years ago, when I first downloaded a much earlier version of Armory for testing. I think I recall how to do that.

As I recall, it's a two-step process, right?

(1) Verify the signature at end of *.txt.asc file:

https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.93.2_sha256sum.txt.asc

(2) Run some sha256sum program against the downloaded *.deb file:

https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.93.2_ubuntu-64bit.deb

and verify that the hash produced matches the hash for the deb mentioned in the *.txt.asc file.

That link has :11371 which is for port 11371, which is for the PGP Key server port for software, not browsing. Remove that and you will be able to access the http page on the keyserver.

Thanks, I removed the :11371 from the URL in the browser, and the page displayed correctly.

Perhaps the link on the Armory downloads page:

http://pgp.mit.edu:11371/pks/lookup?search=bitcoinarmory+offline&op=index

should also be modified to:

http://pgp.mit.edu/pks/lookup?search=bitcoinarmory+offline&op=index

so that it would work - to avoid confusing the users.

Are you sure? Look very carefully, the only change is from 0.93.2 to 0.92.3 or vice versa.

Yeah, I double-checked the (very similar-looking) version numbers (0.93.2 vs 0.92.3), plus I also enabled Javascript in my Tor browser for the Armory downloads page - and clicking on the 2nd tab doesn't actually display the stuff for the older version (0.92.3).

I recall that the Armory website had some similar problems a few years ago - some Ajax or JavaScript stuff that wasn't working right.

I suspect that whatever web framework was used to develop the Armory website might have some kinks in it.

Comment

I understand that Armory has this reputation for being only for "advanced" users (and in earlier versions it was a resource hog).

But I've installed and tested Armory and found it straightforward to use.

In other words, the Armory software is very user-friendly, and (in my opinion) suitable for all levels of users, not only advanced users.

But in order for non-advanced users, the GPG-verification instructions on the Armory downloads page should probably be reviewed and updated to correct anything that's out-of-date or potentially confusing, and perhaps make the instructions a bit more user-friendly, to accomodate non-advanced users who might want to use Armory.

So: the software itself is very easy to use - for all levels of users, from beginner to advanced.

But the Armory downloads page has outdated and/or incomplete instructions (on how to GPG-verify the binaries), so this is probably a factor which could discourage non-advanced users.

Cleaning up the instructions for GPG-verification on the Armory downloads webpage would probably be a major help to encourage more users to adopt Armory.

Thanks!

[brancao]

SOLVED

Reproducing the steps here in case any other users might find this helpful:

How to verify the Armory binary on Linux (in this case, Ubuntu):

(1) Do 'cd' to the directory where the deb file was downloaded.

(2) Do:

Code:

$ sha256sum armory_0.93.2_ubuntu-64bit.deb

(substituting the name of the particular deb file which you downloaded).

This should produce something like the following output:

Code:

677b484cbafcaff8a520cd4526beff985ca73eed54b437fa5cfdc123bd2c517a  armory_0.93.2_ubuntu-64bit.deb

(3) Look in the file:

Code:

armory_0.93.2_sha256sum.txt.asc

and make sure that the hash shown in the above file for the file being checked (in this case, armory_0.93.2_ubuntu-64bit.deb) matches the hash produced in the output for step (2).

(4) Also verify the signature of the file:

Code:

armory_0.93.2_sha256sum.txt.asc

by doing:

Code:

$ gpg --verify armory_0.93.2_sha256sum.txt.asc

This should produce the following output:

Code:

gpg: Signature made Sun 07 Jun 2015 10:46:36 PM BRT using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>"
gpg:                 aka "Alan C. Reiner (Armory Signing Key) <etotheipi@gmail.com>"
gpg:                 aka "Alan C. Reiner (Armory Signing Key) <alan.reiner@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 821F 1229 36BD D565 366A  C36A 4AB1 6AEA 9883 2223

[brancao]

Note:

This same question was asked twice here earlier this year, but today is the first time any suggested work-arounds or solutions were provided:

https://bitcointalk.org/index.php?topic=1117735.0

https://bitcointalk.org/index.php?topic=1117735.0

Comment:

We should bear in mind the following two points:

(1) Security is very important to users of Armory - including GPG-verifying the downloaded files.

(2) The Armory program itself is well-designed and has a friendly user interface, even suitable for non-advanced users.

Therefore, it is important to make sure that the instructions on the Armory download page should not have any errors, inconsistencies, non-working links, or outdated information - which could scare off new, non-advanced, security-conscious users who are interested in installing Armory.

Also, the Armory downloads page should include the actual instructions on how to install a downloaded deb file in Ubuntu, eg:

Code:

sudo dpkg -i armory_0.93.2_ubuntu-64bit.deb

This would help users who how to install Ubuntu but might not know how to install a deb file.

Again, I don't think Armory itself is only for advanced users. It has a simple and easy-to-understand, user-friendly interface.

It would only take about an hour or so to update the Armory website so that it would include up-to-date and complete instructions for installing on various OSes, in order to avoid scaring off new users (who might be willing and able to install Ubuntu - but could get stopped dead in their tracks due to the outdated / incomplete GPG-verification instructions on the Armory website, and the lack of a one-line instruction saying how to install a deb file on Ubuntu).

After all the great work you've done on Armory, it would be pity to alienate potential new users simply due to failure to add a couple of paragraphs to the website.

[Carlton Banks]

It would only take about an hour or so to update the Armory website so that it would include up-to-date and complete instructions for installing on various OSes, in order to avoid scaring off new users (who might be willing and able to install Ubuntu - but could get stopped dead in their tracks due to the outdated / incomplete GPG-verification instructions on the Armory website, and the lack of a one-line instruction saying how to install a deb file on Ubuntu).

After all the great work you've done on Armory, it would be pity to alienate potential new users simply due to failure to add a couple of paragraphs to the website.

Not sure, but it's possible that Armory have organised their Git repo to allow you to make a pull request for your suggested changes yourself. Anyone at ATI?


In addition, I'm not sure if I understand the problem you were having; I used dpkg-sig to verify an Armory package a few months ago for 93.1 or 93.2, and it worked after a little cajoling (although I was using Debian, not Ubuntu). In doing that, I seem to remember also that it is easier to just use gpg -v <armorypackagehashes>.asc than attempting to get dpkg-sig working.

[Honest Tim]

SOLVED

Reproducing the steps here in case any other users might find this helpful:

How to verify the Armory binary on Linux (in this case, Ubuntu):

 

Thanks man, your time spent for future peeps like me is greatly appreciated!!