bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
June 18, 2014, 12:20:27 PM |
|
If you trust certain posts you can skip to the hash of a file
Skip that Damn properties window and use hashtab
Armoryqt.exe
CRC32: 12984228 MD5: 52ff671b60d877ed2d82f04539c9fd88 SHA-1: a543edd804124bc137c5f8e130b0b99713dc75bb SHA-256: 82b7e487121fd3cd61f2103debd269eef74b959089a0fe547c4cb40f5b24b779
|
|
|
|
SimonBelmond
|
|
June 18, 2014, 12:31:26 PM |
|
I have a question which is slightly off topic but I assume someone here will have an answer for this and Google did not give me an answer so far:
I am using Kleopatra for all things PGP. I have tried other Windows PGP tools as well. I want to know how I can publically sign someone’s key on a keyserver without ever taking the key onto an online system. I can sign/encrypt files and text offline and then transfer them away from the offline system. I would also like to be able to sign a key offline and then broadcast the signature from an online system. Does anyone here have experience with that? I do not trust any online system. Seem to be a bit biased by the Armory Security Concept.
Sorry for posting it here. If you know the best place to discuss these things please let me know.
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
June 18, 2014, 12:41:57 PM |
|
I have a question which is slightly off topic but I assume someone here will have an answer for this and Google did not give me an answer so far:
I am using Kleopatra for all things PGP. I have tried other Windows PGP tools as well. I want to know how I can publically sign someone’s key on a keyserver without ever taking the key onto an online system. I can sign/encrypt files and text offline and then transfer them away from the offline system. I would also like to be able to sign a key offline and then broadcast the signature from an online system. Does anyone here have experience with that? I do not trust any online system. Seem to be a bit biased by the Armory Security Concept.
Sorry for posting it here. If you know the best place to discuss these things please let me know.
Your answer will lie in the gpg command line which is included
|
|
|
|
Corelianer
|
|
June 18, 2014, 12:55:31 PM |
|
If you trust certain posts you can skip to the hash of a file
Skip that Damn properties window and use hashtab
Armoryqt.exe
CRC32: 12984228 MD5: 52ff671b60d877ed2d82f04539c9fd88 SHA-1: a543edd804124bc137c5f8e130b0b99713dc75bb SHA-256: 82b7e487121fd3cd61f2103debd269eef74b959089a0fe547c4cb40f5b24b779
I use the hash-values too, but the values are only published for the installer not for the installed files.
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
June 18, 2014, 01:19:05 PM |
|
If you trust certain posts you can skip to the hash of a file
Skip that Damn properties window and use hashtab
Armoryqt.exe
CRC32: 12984228 MD5: 52ff671b60d877ed2d82f04539c9fd88 SHA-1: a543edd804124bc137c5f8e130b0b99713dc75bb SHA-256: 82b7e487121fd3cd61f2103debd269eef74b959089a0fe547c4cb40f5b24b779
I use the hash-values too, but the values are only published for the installer not for the installed files. We can get consensus among each other
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
June 18, 2014, 05:04:04 PM |
|
Wow, I missed out on some fun discussions. Let me clarify how this works, and what Armory has done (and failed to do). - You can use openSSL to generate your own SSL certificate (offline if you want), and send just the [effective] public key to the CA for signing. In this way, the private part of your certificate can be protected in exactly the same way as we do GPG.
- The certificate provider/signer will verify your identity before they sign any certificate claiming "Joe's Fish Shop" is the provider of this software.
- A single compromised CA cert could be used to impersonate just about anything. Your system trusts any number of probably 100 certificate roots, and a signature from any one of them pretty much gives the green light, unless you are manually inspecting the certificate chain and know that certain certs are lower security and/or compromised. It's the job of the OS and the browsers to track which CAs are still trustworthy and help update your CA lists to make sure that any compromised providers are no longer trusted.
- The MS/authenticode system is not good for verifying specific certificates. Ideally, for high-security apps, the publisher would publish their public cert and everyone would verify that the signatures from that cert, though it's a bit of work to do this. Instead, they just check whether there's any valid certificate chain and shows you "Yes/No" that the signature is valid.
- For this reason, I don't care much for Authenticode-signed certs. They avoid the unsightly "Unknown Publisher" when you go to run the installer, but that can be a false sense of security.
- I stand by the notion that the GPG signatures are the most secure. Our offline GPG fingerprint is everywhere, and it's simple to check via command-line. It's also easy to integrate into our release scripts.
Here's what Armory has done to this point: - I have a Class 2 object code signing certificate, signed by StartCom. Though at this point it might be expired. However, it is in my name ("Alan Reiner")
- Getting a cert associated with the company requires quite a bit of ID verification work, including supplying tax returns. We haven't been keen to do this, though I suspect we will at some point. This would be needed for it to show "Armory Technologies, Inc." on the "Verified Publisher:" line.
- Before version 0.90, Armory used my personally-verified cert. I generated it on an offline windows machine, and integrated an three extra steps into my release process to make sure the windows installers made it to that machine for authenticode signing before going to the offline Linux box for GPG signing. This is quite a pain ... you can't sign afterwords or else the GPG hashes/sigs break.
- There is technically a way to do this in linux, but it didn't work with the type of .exe I was signing. I was left with no choice but to use a dedicated offline Windows box
. - Before version 0.90, I did go through with all this. You should be able to run the 0.88 installers and see my name as the verified publisher
- Since version 0.90, we have been using NSIS to package up our installers. The signing process that I previously used no longer works. I believe it has to do with the chained installer architecture: the outer shell of the installer is signed, but it's only purpose is to unpack the real installer and run it... which is not (easily) signed. This means that if you take the .exe posted on the website (if it were signed this way), you could view its properties in Windows and see the signature is there. But when you run it, you still see "Unknown Publisher."
With all this in mind, I hope you'll forgive me that I wasn't excited about going through a lot of work, to provide what I felt was less security than the GPG sig, and complicates the heck out of my signing&release process. Is it useless? Not exactly. But I'm comfortable with the idea that the user either checks the GPG sig and knows it's good, or they don't and know it's not verified. However, it is possible that the new installer format works with linux authenticode tools, so that it could be easily integrated into the release process. If anyone wants to try that out for us and provide a recipe for doing it, I will take a shot at it. But I'm not anxious to put a lot effort into what is already a complex and inconvenient process (low convenience but high security!).
|
|
|
|
SimonBelmond
|
|
June 18, 2014, 05:47:20 PM |
|
I have a question which is slightly off topic but I assume someone here will have an answer for this and Google did not give me an answer so far:
I am using Kleopatra for all things PGP. I have tried other Windows PGP tools as well. I want to know how I can publically sign someone’s key on a keyserver without ever taking the key onto an online system. I can sign/encrypt files and text offline and then transfer them away from the offline system. I would also like to be able to sign a key offline and then broadcast the signature from an online system. Does anyone here have experience with that? I do not trust any online system. Seem to be a bit biased by the Armory Security Concept.
Sorry for posting it here. If you know the best place to discuss these things please let me know.
Your answer will lie in the gpg command line which is included THX for the hint. I will dig into that.
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
June 18, 2014, 05:59:47 PM |
|
Sometimes it feels like you used the "time remaining" algorithm from Windows 95, such as when the database rebuild progress displays 1.5 minutes remaining for 10 minutes.
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
June 18, 2014, 06:03:51 PM |
|
Sometimes it feels like you used the "time remaining" algorithm from Windows 95, such as when the database rebuild progress displays 1.5 minutes remaining for 10 minutes.
One thing I've learned over the course of building Armory is that those time-remaining bars are very difficult to get right. Especially when it comes to things like downloading data that fluctuates in speed rapidly. I have an extensive background in signal processing, yet I still can't get it right. On the other hand ,there is a flaw in my algorithm -- it seems to use CPU-timings instead of wall-timings. Typically this results in the system reporting that it took 2 sec to move 1% of the bar, instead of 3.2 or whatever. This leads to very optimistic estimates. I've been meaning to go in and figure out what is causing that, but I haven't had it on my priority list for a while.
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
June 18, 2014, 06:20:45 PM |
|
On the other hand ,there is a flaw in my algorithm -- it seems to use CPU-timings instead of wall-timings. That might explain why the estimates are grossly inaccurate on an IO-bound virtual machine. I just experienced a 31 minute wait to start up, when it had less than 3 days worth of new blocks to process. "Time Remaining" never exceeded 2 minutes.
|
|
|
|
KrakenTrader
Member
Offline
Activity: 102
Merit: 10
|
|
June 19, 2014, 12:12:21 AM |
|
Hi
I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS ) When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version I simply installed Armory 0.91.1 over 0.91.2, and it worked.
My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?
Thanks for clarification.
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
June 19, 2014, 02:02:07 AM |
|
Hi
I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS ) When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version I simply installed Armory 0.91.1 over 0.91.2, and it worked.
My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?
Thanks for clarification.
No unless wallet has a new version and you created a new one You should use 912 tho it's not unstable as it says
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
June 19, 2014, 02:25:26 AM |
|
Hi
I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS ) When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version I simply installed Armory 0.91.1 over 0.91.2, and it worked.
My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?
Thanks for clarification.
No unless wallet has a new version and you created a new one You should use 912 tho it's not unstable as it says Bummer! When I updated the torrent and re-signed the installer hashes, I accidentally left the "Testing (Unstable)" on 0.91.2 which is what is shown in the secure downloader. I'll have to fix that. On the other hand, it's listed on our website as the latest stable version. So there's that...
|
|
|
|
KrakenTrader
Member
Offline
Activity: 102
Merit: 10
|
|
June 19, 2014, 08:51:09 AM |
|
Hi
I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS ) When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version I simply installed Armory 0.91.1 over 0.91.2, and it worked.
My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?
Thanks for clarification.
No unless wallet has a new version and you created a new one You should use 912 tho it's not unstable as it says Bummer! When I updated the torrent and re-signed the installer hashes, I accidentally left the "Testing (Unstable)" on 0.91.2 which is what is shown in the secure downloader. I'll have to fix that. On the other hand, it's listed on our website as the latest stable version. So there's that... I just updated to 0.91.2 - thank you bitpop and etotheipifor for fast clarification, all is fine now. Another question about the new Wallet Consistency Check: xx% What exactly is being checked here at this point? - Wallet Consistency Check finishes quite fast in around 30 seconds here. Thanks
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
June 19, 2014, 01:14:55 PM |
|
Consistency makes sure that your addresses were all generated from the root key to make sure you can generate the private key
|
|
|
|
plethora
Member
Offline
Activity: 113
Merit: 10
|
|
June 22, 2014, 04:37:20 PM |
|
I'm using Armory 0.91.1 on Windows 8.1 to download 0.91.2 (Testing unstable) 64-bit for Ubuntu 14.04 using Secure Downloader. When checking "Save with offline-verifiable signature" the file is saved as: armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe, I didn't expect an exe file and it looks weird ending with a comma. Next I select Verify Signed Package and select the file. I have to manually change to display all file types since there's no *.signed file. Armory asks me if I'd like to overwrite the original file to which I selected Yes. Armory explains that the installer was extracted to the same location (armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe,) however that file is now missing. It seems Armory removed the .exe, file but didn't extract any installer first. Now I'm back at the Verify Signed Package window where I click "Select file to save to...". Now Armory suggests a file name of armory_0.91.2-rc1_ubuntu-64bit.deb.
|
|
|
|
etotheipi (OP)
Legendary
Offline
Activity: 1428
Merit: 1093
Core Armory Developer
|
|
June 22, 2014, 04:44:20 PM |
|
I'm using Armory 0.91.1 on Windows 8.1 to download 0.91.2 (Testing unstable) 64-bit for Ubuntu 14.04 using Secure Downloader. When checking "Save with offline-verifiable signature" the file is saved as: armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe, I didn't expect an exe file and it looks weird ending with a comma. Next I select Verify Signed Package and select the file. I have to manually change to display all file types since there's no *.signed file. Armory asks me if I'd like to overwrite the original file to which I selected Yes. Armory explains that the installer was extracted to the same location (armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe,) however that file is now missing. It seems Armory removed the .exe, file but didn't extract any installer first. Now I'm back at the Verify Signed Package window where I click "Select file to save to...". Now Armory suggests a file name of armory_0.91.2-rc1_ubuntu-64bit.deb. I'll make sure to give this some TLC before the next release. Obviously the comma is an error. And obviously it should show you .exe/.deb/etc in the file select dialog. Also, try clicking "No" for overwriting and then click the button on the small dialog to specify where to save it. EDIT: I just tested this on my linux box, and I didn't run into either problem. When you do the download originally, it asks you where you want to save it. Are you sure you didn't accidentally type a comma in there? And you didn't see it on the list because of the comma -- it definitely shows you all ".signed" files, but not ".signed," files (with a comma).
|
|
|
|
plethora
Member
Offline
Activity: 113
Merit: 10
|
|
June 23, 2014, 03:43:29 AM |
|
I'm sure I didn't accidentally typed the comma since I've double and triple checked. I have now upgraded to 0.91.2 on Windows and tried the same procedure, saving the Ubuntu installer with offline-verifiable signature and get the same .exe, file name suggested by Armory. If I keep the "offline-verifiable signature" checkbox unchecked, the file is by default saved as: armory_0.91.2-rc1_ubuntu-32bit.deb I haven't tested the downloader on Ubuntu since that computer is offline
|
|
|
|
flipperfish
Sr. Member
Offline
Activity: 350
Merit: 251
Dolphie Selfie
|
|
June 23, 2014, 07:01:42 PM |
|
I'm sure I didn't accidentally typed the comma since I've double and triple checked. I have now upgraded to 0.91.2 on Windows and tried the same procedure, saving the Ubuntu installer with offline-verifiable signature and get the same .exe, file name suggested by Armory. If I keep the "offline-verifiable signature" checkbox unchecked, the file is by default saved as: armory_0.91.2-rc1_ubuntu-32bit.deb I haven't tested the downloader on Ubuntu since that computer is offline I can confirm this behavior. I just tried the Secure Downloader on Windows 7 x64 in Armory 0.91.2-beta and the filename proposed in the "Save as..." dialouge was "armory_0.91.2-rc1_winAll.exe.signed.exe ,". Without the "offline-verifiable signature" checkbox it's "armory_0.91.2-rc1_winAll.exe".
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
June 24, 2014, 08:53:50 AM |
|
Two questions:
a) any plans to make available an offline bundle for Ubuntu 12.04.4? b) are the offline bundles for 10.04 deprecated? Should we update our offline systems to 12.04?
|
|
|
|
|