Windows signature checking with cygwin

[TierNolan]

I was trying to check the windows signature with Cygwin and gpg.

Is this a reasonable process?

"WARNING: This key is not certified with a trusted signature!" means I have to add trust roots or something?

Http download of the .asc file is presumably ok, since that signature is checked anyway.

-----------------------------------------------------------------------------------------------

gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/documentation/faqs.html for more information
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: /cygdrive/e/java_progs/eclipse_git/.gnupg/trustdb.gpg: trustdb created
gpg: key 98832223: public key "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

wget http://s3.amazonaws.com/bitcoinarmory-releases/armory_0.90-beta_sha256sum.txt.asc

file downloads - since I am checking sigs anyway, I assume http is fine?

gpg --verify armory_0.90-beta_sha256sum.txt.asc

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/documentation/faqs.html for more information
gpg: Signature made Tue, Nov 26, 2013  6:29:59 PM GMT using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>"
gpg:                 aka "Alan C. Reiner (Armory Signing Key) <etotheipi@gmail.com>"
gpg:                 aka "Alan C. Reiner (Armory Signing Key) <alan.reiner@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 821F 1229 36BD D565 366A  C36A 4AB1 6AEA 9883 2223

sha256sum  -c armory_0.90-beta_sha256sum.txt.asc | grep armory_0.90-beta_winAll.exe

sha256sum: armory_0.90-beta_10.04_amd64.deb: No such file or directory
sha256sum: armory_0.90-beta_10.04_i386.deb: No such file or directory
sha256sum: armory_0.90-beta_12.04_amd64.deb: No such file or directory
sha256sum: armory_0.90-beta_12.04_i386.deb: No such file or directory
sha256sum: armory_0.90-beta_OSX.app.tar.gz: No such file or directory
sha256sum: armory_0.90-beta_OfflineBundle_10.04-32bit.tar.gz: No such file or directory
sha256sum: armory_0.90-beta_OfflineBundle_10.04-64bit.tar.gz: No such file or directory
sha256sum: armory_0.90-beta_OfflineBundle_12.04-32bit.tar.gz: No such file or directory
sha256sum: armory_0.90-beta_OfflineBundle_12.04-64bit.tar.gz: No such file or directory
sha256sum: WARNING: 21 lines are improperly formatted
sha256sum: WARNING: 9 listed files could not be read
armory_0.90-beta_winAll.exe: OK

[goatpig]

The file is signed with Armory's offline key.

The .asc file carries the signature. As long as you verify this signature was made by Armory's offline key, it doesn't matter where you are pulling it from.

[TierNolan]

The file is signed with Armory's offline key.

The .asc file carries the signature. As long as you verify this signature was made by Armory's offline key, it doesn't matter where you are pulling it from.

That's what I thought, my main issue was this line

"WARNING: This key is not certified with a trusted signature!"

Is that just a warning that I have no trust roots or something.  They signature is valid, but I haven't set that the public key is authentic?

[goatpig]

It means none of the keys you trust have signed the Armory offline key. If you pull the offline key locally and set its trust level higher, the warning will go off.