Verifying Armory installers in Windows

[etotheipi]

Okay, I'd like to beef up the instructions for verifying downloads in Windows.  It will take a bit of work, but it can be done!

I'm going to post my instructions here, and I'd like others to try it and tell me what I got wrong, or what needs to be improved.   After about 20 replies, I expect we'll have something that can reliably check your installer on windows, even if it requires a bunch of steps and installing some stuff.

Here goes:

• Download and install GPG for Windows:  Get gpg4win here.  It allows you to check GPG signatures in Windows.
• Download a sha256sum utility:  For computing the SHA256 hashes of files.  I trust Kanguru for stuff like this.  Someone else please recommend more well-known tools (I can't believe this kind of thing isn't built into Windows anywhere.... is it?)
• Download our offline-signing GPG key:  http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x4AB16AEA98832223
• Download installer and hash file: Go to our download page and grab the installer for Windows, and the "GPG-signed SHA256 hashes of all installers" for the same version

At this point you should have the following in your downloads directory:

• gpg4win installer
• Our GPG key (0x98832223)
• sha256sum.exe
• armory_<version>_win32.exe (or similar .msi)
• armory_<version>_sha256sum.txt.asc

Run the gpg4win installer, and import the GPG key (I'm not sure how complicated this is...let me know).  After that, do the following:

• Verify the hash of the installer against the signed hashes:  Open a windows terminal and "cd" to your downloads directory.  execute sha256sum.exe armory_0.90-beta_win32.exe (or whatever the installer name is).  Open the .txt.asc file in a text editor and confirm that the output on the terminal matches the line for the same filename.
• Verify the signature on the signed hashes file:   I don't know if gpg4win gives you good windows explorer utils.  I presume you can simply right-click on a file and check it's signature..

I'll update this posting when I get feedback, and then once it's stable I'll post it on the website.

[1714862542]

1714862542

[1714862542]

1714862542

[1714862542]

1714862542

[gortonc]

Etotheipi, (or can I just say -1 ) thank you for all you have done in making Armory available to us. I have often wished I had the know how to contribute to the cause, and finally think I might have a few crumbs to offer.  I believe you can significantly simplify the above process by recommending the "downthemall" add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/downthemall/).

Once installed it will both speed the download and verify the SHA256 hash. Simply copy the SHA256 hash to the clipboard, and click the download link. A box opens; select the "downthemall" radio button, and then "save file." A new box opens; select the download directory, and pull down the arrow next to the default SHA1, and choose SHA256, then paste the hash in the box and click start.

The download starts and you get a nice tone and red plus sign when the download is confirmed. No muss no fuss. 

This is cross platform and works in Linux as well.

Again, THANK YOU!

[pertranex]

I have been using QuickHash on Windows to get the SHA256 hash.

http://sourceforge.net/projects/quickhash/

[tjc]

I'm trying to verify the installers on Windows 7.

Verifying the hash works fine with the workflow above.

As for verifying the sig, I get this message in Kleopatra "Could not determine whether this is an S/MIME or OpenGPG signature - maybe it is not a signature at all?"

FWIW, I get the same message using Kleopatra to verify the Litecoin-qt installer. I get a confirmed sig when I verify my own signed documents.

Any insight?

Thanks

[GelatinousSlime]

You might want to be a little more detailed on the "import the GPG key" step. After you import the the key and see it on your list, you need to right click on it and select "Certify Certificate". That brings up a list of certificates for Alan C. Reiner. On my system there were three of them. I'm not sure if all 3 should be selected or just the one labeled (Offline Signing Key). I opted to select just that one. Then at the bottom of that dialog box is the key fingerprint which you should carefully examine and make sure it matches the expected fingerprint given on the web site. Then select the "I have verified the fingerprint" box and click next. Then it asks if you want to verify it just for yourself or verify for others. Select the box for verify for myself and then accept.

After the key is verified, then you can verify the checksum file by right clicking on it and selecting "Decrypt and verify". However, the dialog that comes up had the "Input file is a detached signature" box checked by default. If I left that alone, it did not work and I'd get a "no signatures found" error. However, deselecting that box before pressing the "Decrypt/Verify" button resulted in a successful verification. It also created a new  file named armory_0.90-beta_sha256sum.txt in the directory beside the .asc file with the SHA256 signatures but not the GPG signature.

I hope that helps a bit.

[Lavender]

Is it possible to, using Ubuntu 13.10, verify the windows installer? I'm a Linux n00b, so here's my effort:

Code:

$ dpkg-sig --verify armory_0.90-beta_winAll.exe
E: We can only work on debs and changes files.

[etotheipi]

Is it possible to, using Ubuntu 13.10, verify the windows installer? I'm a Linux n00b, so here's my effort:

Code:

$ dpkg-sig --verify armory_0.90-beta_winAll.exe
E: We can only work on debs and changes files.

Yes, it's easier to do it from linux than anywhere else.

From the windows download page, download the Version 0.90-beta signed hashes of installers (or just click that link).   That file is signed with the same GPG key:

Code:

gpg -v armory_0.90-beta_sha256sum.txt.asc

That verifies the hashes in the file are valid, now you just have to hash the windows installer and make sure it matches:

Code:

sha256sum armory_0.90-beta_winAll.exe

Or on mac:

Code:

shasum -a 256 armory_0.90-beta_winAll.exe

Make sure the output of the above line matches what's in the hash file you just verified.

[Lavender]

Thank you.

[pitiflin]

But if I download from your official site, it's already verified right?

I have Windows, I'm in the process of installing a cold wallet, and I don't want to mess, just for this reason...

[biolizard89]

But if I download from your official site, it's already verified right?

I have Windows, I'm in the process of installing a cold wallet, and I don't want to mess, just for this reason...

I don't speak for Armory dev team, but if you're dealing with money that you don't want to lose, you should verify it to be safe.  There are various hypothetical attacks that could cause you to get the wrong installer while appearing to be the official website (server compromise, MITM attack, etc.), but these attacks would not be able to fake an offline signature.

[5flags]

Why do you take this route rather than using a code signing certificate?

[pitiflin]

But if I download from your official site, it's already verified right?

I have Windows, I'm in the process of installing a cold wallet, and I don't want to mess, just for this reason...

I don't speak for Armory dev team, but if you're dealing with money that you don't want to lose, you should verify it to be safe.  There are various hypothetical attacks that could cause you to get the wrong installer while appearing to be the official website (server compromise, MITM attack, etc.), but these attacks would not be able to fake an offline signature.

And how can I do it? I'm an average computer user, and I find it too difficult for following the steps, is there a simplier way?

[pitiflin]

I'm in Kleopatra now, trying to import the PGP key, but how can I do it?

It's just a .txt with the public pgp.key it doesn't let me import that?

Somebody knows?

[pitiflin]

Ok, so far, I've only done this step.

•Verify the hash of the installer against the signed hashes:  Open a windows terminal and "cd" to your downloads directory.  execute sha256sum.exe armory_0.90-beta_win32.exe (or whatever the installer name is).  Open the .txt.asc file in a text editor and confirm that the output on the terminal matches the line for the same filename.

It matches with https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.91.2-rc1_sha256sum.txt.asc

These other 2 steps, I can't do it, I don't know how.

Run the gpg4win installer, and import the GPG key (I'm not sure how complicated this is...let me know).  After that, do the following:

•Verify the signature on the signed hashes file:   I don't know if gpg4win gives you good windows explorer utils.  I presume you can simply right-click on a file and check it's signature..



Is that enough? Does this means that the installer is verified? Help please...

[pitiflin]

Ok, done

[omegaflare]

Avoid using Kleopatra - it has a very weak crypto algorithm (old DSA 56 bit) making it easier for law enforcement and/or FBI/NSA to extract your private keys and passphrase. So, yes, it's "backdoor'd" since Kleopatra is a private firm.

AND it doesn't encrypt your subkey. BAD!

[Raize]

Avoid using Kleopatra - it has a very weak crypto algorithm (old DSA 56 bit) making it easier for law enforcement and/or FBI/NSA to extract your private keys and passphrase. So, yes, it's "backdoor'd" since Kleopatra is a private firm.

AND it doesn't encrypt your subkey. BAD!

Well okay, I'll be "that guy" and ask what we're supposed to use instead on Windows? I mean, if you avoid DSA and check a few things manually doesn't it still work and provide a GUI interface? I mean, as opposed to trying to do all this from the commandline anyway?

[btcguys]

Virus total scan shows that armory has two viruses. Detection ratio:    2 / 40.
https://www.virustotal.com/en/file/7c112320484c96acc62593fa23dfbbfca54eb941f4d2faa834abb3572f72e51d/analysis/

Also, I am unable to verify signature using this link: https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.92.1_sha256sum.txt.asc

I use following command: gpg --verify --with-fingerprint alan.sig armory_0.92.1_winAll.exe
command returns: gpg: Bad signature from "Alan C. Reiner..."

alan.sig is PGP signature saved from <https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.92.1_sha256sum.txt.asc>