PPA vs. DEB install. Which is better for Armory & Bitcoin Core?

[Carlton Banks]

You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.

this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this

[1715095618]

1715095618

[hieveryone123]

Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

The first way (gpg --import key.asc) imports an already downloaded key (which is on your hard drive now) into the pgp database.
The second command (gpg --recv-keys XXXXX) pulls the key with  the ID XXXXX from the keyserver you have specified with --keyserver or from the default one of your distro.

It doesn't really matter which way you choose, both have its pros and cons.
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.

oh, ok - thank you for clarifying.  Just to confirm, I found 2 signing keys in goatpig's PublicKey section on github (goatpig-signing-key.asc and laanwj-releases.asc).  I know goatpigs is what I need for armory, but is that the correct key for Wladimir van der Laan for bitcoin core?  (I couldn't find it on laanwj's github).

Thanks so much, gpg is bit confusing - really appreciate this support.

[bob123]

You can find keys from multiple persons here: https://bitcointalk.org/verify_pubkeys.txt

This page contains keys from Maxwell, theymos, achow101 and more..

It also contains Wladimir J van der Laan's signing key:

Code:

# Wladimir's signing key 0x01EA5486DE18A882D4C2684590C8019E36C2E964
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFWKlBcBEACgZJd/6LrSgNSVxiyq5N9h0E7zgSHG/ahuWAnWeFtxaxHeukH+
Q2Zq6F8FLbq40PphyroRylMBpzPBcyxjee7mDj1DpJ9ayv6GGPTyQzOImhChEV8p
bA42dvXnB5ju0rPh2GxctbiZZD1kiPH4jlmDIgomvupAj9OFntA5jfkuSFBekZrw
QyZowz/paMBIe24YH2LyaZjC2DqLy8Znh78OfAZxZsWSdZxK5LsbkCE9l8Li3gQa
rxm4aEMBHhvns+s8Ufa47sdJAYAfVnAWb5Dfe4oVFh70PvB8GSGFS9qeib0eEQBD
71c9MN+REDTSOYO2VnUSFbu7IrKsPsClqwfT9KzI/uz5fpHSKdCp5AO7oDZiU36s
LsSOBbukTmFQfVrAniFEZxHLCBufXCsAwp07xtUH9ytbW0Y/eHYlZojoWJJPT//1
cQ/A2Ix/nxbSkSPq8wpCUhBxvTQoU9BXeQIbSy0yUmj5nS+3DR7IK2Q7ACyVClr7
LVQOGxgZhHr9Kq87RDqc1wlvbCxb+KTJQhJySpOVoiaME6jLBzgE7G+5N6IXTK5u
OriOsQwcLdeBu7TPgft79uBYnmYeaNVdovlBB//7H7UvY0kAxAg4NPgK6eYRdzn+
8ZtbntNXi/23RJvzeZJVBqQ7bYt4fjmHmRYrbM4jWKJEoJOE6wzpmELUowARAQAB
tFVXbGFkaW1pciBKLiB2YW4gZGVyIExhYW4gKEJpdGNvaW4gQ29yZSBiaW5hcnkg
cmVsZWFzZSBzaWduaW5nIGtleSkgPGxhYW53akBnbWFpbC5jb20+iQI+BBMBAgAo
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCWKLo+AUJBtq73QAKCRCQyAGe
NsLpZI/uD/sGG/o6nSNFvgnvC9o9k4SK/JHXyupo1VFpVUMCHNb3i6x0a+Dymrua
VsMVCzy85lAaoALQIq3X/3Tjqr8HbE5wzQQ/4XFAZZOwy6ncibgaVX4h3eMdMXm+
kSU1CLP72QRJEPxU89RPMbkxH+VArP/RyP35hec/qX51Ywm8dX5BjB/6Wj03X2sw
wEw9QvGLPmGzXaJrzL8LlHx04Fk1wZ0NorKlffxNSB/NP8NTKEFp0h9e1xvR8Q5q
OxM2ZARLwPK+xxk4povyKRWqxuesh5p1LSDvh+S9Cie3+GD57ZA1dQSjyCaPQZUi
0yZlctyekgK3qEdQKGMva1/AD1trhQbp4mdnNsOjgo+YzJLxPif41nSqelkzDRwH
JYYtIYnDAbO27d97ios+E3H/NXmn5GeCcx2RuBA4V0RTvJHpRlXFJdvV5HShXvTE
UduOr8fCwc7Bi58dWy/YHAjjPsEpSJQEeKo0hgaRrj3pfvLJG9w4AvI/AqeOdxYW
1xhCi+MoIrfMHIYZ3NY65Kz6r2rLLtuR9oy5qOGawDcb3sfAmf3xh6N5RSakDRhF
/9aJtxH6OiyicLUBTt50wgNWYx/3jMjLpPt7EWQgT23qQvNI3s8W702JWPHrPOi7
t8cqGZIhcokW3DPhs4RRW6FLnbp48PhtVRtPAwNwzKKLoEvaQu8fZA==
=2Kph
-----END PGP PUBLIC KEY BLOCK-----

The best would be to confirm this information by looking at other independent sources.
If you trust bitcointalk.org (and its moderators!), you are fine to use it. The best would be still to verify it using other sources.

[Carlton Banks]

Wladimir J van der Laan's signing key:

[snip]

The best would be to confirm this information by looking at other independent sources.
If you trust bitcointalk.org (and its moderators!), you are fine to use it. The best would be still to verify it using other sources.

I think it would be a good idea to start making t-shirts with all sorts of useful GPG keys printed on them... although that comes with it's own problems if any keys on the t-shirt are compromised!!!


but something along those lines could be useful, it's a little more concerning that someone's key that we all rely doesn't get stolen, but gets spoofed somehow instead, and that gets used to perform some kind of theft or attack

gpg is bit confusing

everything about gpg is not going to "click" inside your head the first few times you use it. But once you've used it a hundred times, it makes increasingly more sense.

then, you've got an incredibly powerful tool in your hands, just like you have with Bitcoin

[hieveryone123]

I'm stuck on how to simply download these .asc files.  If I go to https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys - how do I download these files so that I can import them?  Do I need to create .txt file with this information, and then "gpg --import goatpigs-key.asc.txt"?

[PhoenixFire]

I'm stuck on how to simply download these .asc files.  If I go to https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys - how do I download these files so that I can import them?  Do I need to create .txt file with this information, and then "gpg --import goatpigs-key.asc.txt"?

Navigate to the github page that has each GPG key i.e. they start with:

Code:

 -----BEGIN PGP PUBLIC KEY BLOCK-----

Then click the "Raw" button on the right hand side. Once the page has loaded, Ctrl + S or File > Save as and save the file. Then import as above, but the filenames should be just "goatpig-signing-key.asc" and "laanwj-releases.asc" unless your browser does something strange or you rename them.

[hieveryone123]

Successfully imported and verified - wow, this is amazing. 

Thanks so much bob123, Carlton Banks, and PhoenixFire - much appreciated!!

[Carlton Banks]

Successfully imported and verified - wow, this is amazing.  

you could write a little script that does this, it would be a good way to learn that stuff. Once you've updated the online machine's Bitcoin-qt 5+ times, the novelty of how cool gpg and sha256sum are will have worn off, you can return to simplicity with the comfort/satisfaction that you know alot about what's going on when your software is being checked for authenticity. And you also get to debug the script when one of your assumptions turns out to be bad, hurrah!!

none if this ever mattered to me back in the Windows days, I figured that either software worked or it didn't! But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

[goatpig]

But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

Then he went full Kubernets. Never go full Kubernets!

[Carlton Banks]

But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

Then he went full Kubernets. Never go full Kubernets!

I still run "bare metal" debian on a raspi 3 (bare plastic? bare play-do!)

The rest of the time, I have 5 copies of Qubes nested inside each other, for a grand total of 35 net proxies!!!! (you only need 10TB of RAM for this, I strongly encourage it )