Bad signature for *.deb files in bitcoinarmory.com

[darkice]

I was unable to verify .deb files from bitcoinarmory.com

Processing armory_0.93.3_ubuntu-64bit.deb...
BADSIG _gpgbuilder


How can we securely download and verify the latest version ?

Thank you.

[unamis76]

Armory is changing hands. We are not sure who is running bitcoinarmory.com anymore. goatpig is now the sole developer, you can download Armory here

[achow101]

Did you follow the verification instructions at http://www.bitcoinarmory.com/download/? Make sure you have imported Alan's signing key.

[darkice]

Got it thank you;

Also cross checked with the github 9.3.3 repo and ended up compiling from source.

I sign offline but I am still paranoid about it.

[goatpig]

Armory has never had a signed .deb afaik. Our signing process has always been to create the packages, get the sha256 hash, and offline sign those. Think about it, it's a pain to setup a purely offline machine that can build the entire package, let alone do this for all supported OS. It's simpler to offline sign the package hash.

[micalith]

What if you're not comfortable compiling from source yourself?

I downloaded the latest version as suggested by knightdk, and when I run the verify:

$ dpkg-sig --verify *.deb


it outputs the folowing:

Processing armory_0.94.0_amd64.deb...


I'm probably too much of a noob to figure out how all this isn't disconcerting

[goatpig]

Armory uses the same package verification process as Bitcoin Core:

1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)

2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file

[micalith]

1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)

2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file

Thanks. I'm sorry, but I'm still a bit confused about the procedure.

I've downloaded the sha256sum file as you've instructed, but can't find your public key. Would that be something equivalent to Alan's key ID '98832223'? i.e. would I enter the following? 

Code:

$ gpg --recv-keys --keyserver keyserver.ubuntu.com **your key ID**
$ dpkg-sig --verify armory_0.94.1_amd64.deb

[goatpig]

https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys

You can find my key here.