Bitcoin Forum
December 11, 2017, 02:40:43 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Trouble verifying downloaded files (Amory Offline Bundle) in Ubuntu  (Read 1053 times)
W2014
Member
**
Offline Offline

Activity: 96



View Profile
February 19, 2014, 04:47:51 AM
 #1

Hi,

I'm trying to verify the keys for Version 0.90-beta Offline Bundle for Ubuntu/Debian 12.04-32bit.

I've followed these instructions:

To verify in Linux, “cd” to the directory containing the installer (usually Downloads), download and import the Armory signing key from the ubuntu key-server, install the signature verification program, and then use it verify the signatures on the *.deb files:
   
1. $ cd Downloads   # the directory containing the *.deb
2. $ gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
3. $ sudo apt-get install dpkg-sig
4. $ dpkg-sig --verify *.deb


I assume the above instructions include download of the "signature verification program", correct?

Here's what I get inputs/outputs for each of the steps:

Step 1:

ap@ap-K56:~$ cd Downloads   # the directory containing the *.deb
ap@ap-K56:~/Downloads$

Step 2:

ap@ap-K56:~/Downloads$ gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <alan@bitcoinarmory.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Step 3:

ap@ap-K56:~/Downloads$ sudo apt-get install dpkg-sig
[sudo] password for ap:
Reading package lists... Done
Building dependency tree      
Reading state information... Done
dpkg-sig is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 244 not upgraded.

Step 4:

ap@ap-K56:~/Downloads$ dpkg-sig --verify *.deb
E: Cannot find *.deb: no such file

Step 4 again adding "armory":

ap@ap-K56:~/Downloads$ dpkg-sig --verify armory*.deb
E: Cannot find armory*.deb: no such file

The armory offline bundle is saved in 'downloads' in Ubuntu.

Any idea what the problem is? Thanks in advance.
1512960043
Hero Member
*
Offline Offline

Posts: 1512960043

View Profile Personal Message (Offline)

Ignore
1512960043
Reply with quote  #2

1512960043
Report to moderator
1512960043
Hero Member
*
Offline Offline

Posts: 1512960043

View Profile Personal Message (Offline)

Ignore
1512960043
Reply with quote  #2

1512960043
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
picobit
Hero Member
*****
Offline Offline

Activity: 547


Decor in numeris


View Profile
February 19, 2014, 12:03:21 PM
 #2

You have to run the last command in the directory where the .deb file is located.  You do not have to repeat the first three steps again.

W2014
Member
**
Offline Offline

Activity: 96



View Profile
February 20, 2014, 02:30:49 AM
 #3

You have to run the last command in the directory where the .deb file is located.  You do not have to repeat the first three steps again.

I thought that is exactly what I did: ran the command in the download directory where the BitcoinArmory file is located. I also tried moving the Armory File to the Home directory and had the same result. No luck.

Thanks
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
February 20, 2014, 06:35:21 AM
 #4

If your terminal is in the same directory as the .deb file, then you will not get that error. 

Are you downloading the correct file?  Does it have .deb extension?  You can verify if the file is in the directory by typing "ls" (that is L, S), and you should see it in the list that is printed.  cd your way into the directory where it is located and run the dpkg-sig command again.  You could try typing the full file name instead of "*.deb" but that really shouldn't make a difference.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
W2014
Member
**
Offline Offline

Activity: 96



View Profile
March 10, 2014, 08:18:59 AM
 #5

I was finally able to verify the file.

I had to take these extra steps not outlined on the website:  

/Downloads cd armory_0.90-beta...OfflineBundle...12.04-32bit

/Downloads/armory_0.90-beta...OfflineBundle...12.04-32bit$ dpkg-sig --verify *.deb

This is the output:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1385490545

QUESTION: the last group of numbers is slightly different than the numbers on the Armory webpage:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1353699840

Is there any issue? I assume the numbers I got are for a different Offline bundle. Please advise.

Thanks for your help!!
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 10, 2014, 09:32:19 PM
 #6

I was finally able to verify the file.

I had to take these extra steps not outlined on the website:  

/Downloads cd armory_0.90-beta...OfflineBundle...12.04-32bit

/Downloads/armory_0.90-beta...OfflineBundle...12.04-32bit$ dpkg-sig --verify *.deb

This is the output:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1385490545

QUESTION: the last group of numbers is slightly different than the numbers on the Armory webpage:

GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1353699840

Is there any issue? I assume the numbers I got are for a different Offline bundle. Please advise.

Thanks for your help!!


Those last numbers are just a timestamp -- i.e. when the package was signed.  The example on the website is probably for a different package, which was signed at a different time.  It's nothing to be worried about. As long as the last 8-16 characters before it match what you expect, it's good.

The relevance of the timestamp is that one day in the future, I might lose control of that GPG private key.  If that happens, I would revoke the key, which should notify people not to trust anything signed from then forward.  ANything with an earlier timestamp would be safe, because you knew that the key was still secure at that point.

In practice, this is kind of useless without a trusted timestamp server, because the attacker could sign with any timestamp they want.  If you use a timestamp server, you can prove that the signature existed before the given timestamp.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
W2014
Member
**
Offline Offline

Activity: 96



View Profile
March 11, 2014, 06:50:48 AM
 #7

Thanks for the response!  Grin
picobit
Hero Member
*****
Offline Offline

Activity: 547


Decor in numeris


View Profile
March 12, 2014, 08:01:34 PM
 #8

If you use a timestamp server, you can prove that the signature existed before the given timestamp.
I hear the blockchain is useful for that kind of time stamping.   Grin
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!