verifying file signatures

[QuantumFoam]

I am a newbie with verifying signatures, but am trying to follow the instructions on your download page. I'd like to verify the windows files and the linux ones for my offline machine.

I attempted verification with the windows files on a linux machine via the following steps:

1) gpg --recv-keys --keyserver keyserver.ubuntu.com
2) sudo apt-get install dpkg-sig
3) gpg --verify armory_0.88.1-beta_sha256sum.txt.asc armory_0.88.1-beta_win32.msi

This does not appear to work. I get "gpg: not a detached signature"

For the linux files, I did steps 1 and 2 as above, and with step 3:
dpkg-sig --verify *.deb

In the folder the offline files uncompressed into. It checked all the deb but only reported
Processing armory_0.88-beta_amd64.deb...
GOODSIG _gpgbuilder

For that .deb. The rest of the debs it just said Processing but never had a GOODSIG line. Is this expected behavior?

[etotheipi]

I am a newbie with verifying signatures, but am trying to follow the instructions on your download page. I'd like to verify the windows files and the linux ones for my offline machine.

I attempted verification with the windows files on a linux machine via the following steps:

1) gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
2) sudo apt-get install dpkg-sig
3) gpg --verify armory_0.88.1-beta_sha256sum.txt.asc armory_0.88.1-beta_win32.msi

This does not appear to work. I get "gpg: not a detached signature"

For the linux files, I did steps 1 and 2 as above, and with step 3:
dpkg-sig --verify *.deb

In the folder the offline files uncompressed into. It checked all the deb but only reported
Processing armory_0.88-beta_amd64.deb...
GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1366309670

For that .deb. The rest of the debs it just said Processing but never had a GOODSIG line. Is this expected behavior?

Okay, I guess need to update those instructions.  "Detached signatures" would look like this:

     armory_win32.msi
     armory_win32.msi.sig


Then your command-line would work, because the .sig file explicitly contains the signature of only the .msi file.

But I didn't make a detached signature.  I simply hashed all the installers, listed them in the .asc file, and signed that file.  Here's what the file looks like:

Code:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

a730df751c753bdd2664d1e0b32a3ff138494900040c742b0ebfced3b516fad6 armory_0.88.1-beta_OSX.dmg
918e9123c372557ac73f563bb3d4d76af4ab218845872d6c49d502b798015826 armory_0.88.1-beta_OfflineBundle_Ubuntu-10.04-32bit.tar.gz
43a6228c495a5f9f92ff594d41b2d954c94b85e5da0333d4f53591d75dccdb43 armory_0.88.1-beta_OfflineBundle_Ubuntu-10.04-64bit.tar.gz
3d7f620c028940540dc48d41a9cf6127f7f42b920664de4a957fc407b3f59abf armory_0.88.1-beta_amd64.deb
670b74ade48b041bd376512f5e2db78075d794495ef347bf0b792156c9a90048 armory_0.88.1-beta_i386.deb
4d14b43ed75194a753dc202d70f9650a92d7b8756c917fe82a7f46ecd3466aa1 armory_0.88.1-beta_win32.msi
26735a99948ac1402242e83f0c18aed4477b132654d1a94d7968caa0e72790df armory_0.88.1-beta_win64.msi
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----

So, there's two steps to verification:
(1) Execute "sha256sum armory_0.88.1-beta_win32.msi" from the command line.  Compare it to the contents of the .asc file, make sure it matches
(2) Verify the signature of the .asc file:  "gpg -v armory_0.88.1-beta_sha256sum.txt.asc"


Note: for your question about the debian package, I highlighted the important part of your post.  You successfully verified the .deb signature.  This is useful for just downloading the .deb and verifying it before you install it.  But in the case of the offline bundle, I don't sign all the packages because I only created one of them.  Instead, you should follow the procedure I just explained for the .msi files, but for the appropriate tar.gz file.

[QuantumFoam]

Understood, thanks for the fast reply!

I was able to verify the msi file now. The signature asc file checked out good, but warned about it not being certified with a trusted signature. Not sure if I missed a step somewhere in that process. If not, it looks like everything is good to go. Thanks for the information.

[etotheipi]

Understood, thanks for the fast reply!

I was able to verify the msi file now. The signature asc file checked out good, but warned about it not being certified with a trusted signature. Not sure if I missed a step somewhere in that process. If not, it looks like everything is good to go. Thanks for the information.

Yeah, that's GPG being pedantic.  It doesn't truly trust a signature unless the GPG key has been explicitly set as "Fully Trusted", or it is signed by another GPG key that is "Fully Trusted."  It's trying to encourage the whole Web-of-Trust thing, where everyone signs everyone else's keys to help prevent man-in-the-middle attacks.  But the web-of-trust thing never hit critical mass.  Though in small community's like ours, maybe the major developers should make some effort to do this...

[etotheipi]

By the way, there is a problem with downloads. I had accidentally mixed the architectures.  I reuploaded them last night.   If you had problems, try downloading again.  It should be correct now.