Bitcoin Forum
November 06, 2024, 10:47:02 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 [190] 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 »
  Print  
Author Topic: Armory - Discussion Thread  (Read 521823 times)
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
June 18, 2014, 12:20:27 PM
 #3781

If you trust certain posts you can skip to the hash of a file

Skip that Damn properties window and use hashtab

Armoryqt.exe

CRC32: 12984228
MD5: 52ff671b60d877ed2d82f04539c9fd88
SHA-1: a543edd804124bc137c5f8e130b0b99713dc75bb
SHA-256: 82b7e487121fd3cd61f2103debd269eef74b959089a0fe547c4cb40f5b24b779

SimonBelmond
Full Member
***
Offline Offline

Activity: 226
Merit: 100



View Profile
June 18, 2014, 12:31:26 PM
 #3782

I have a question which is slightly off topic but I assume someone here will have an answer for this and Google did not give me an answer so far:

I am using Kleopatra for all things PGP. I have tried other Windows PGP tools as well. I want to know how I can publically sign someone’s key on a keyserver without ever taking the key onto an online system. I can sign/encrypt files and text offline and then transfer them away from the offline system. I would also like to be able to sign a key offline and then broadcast the signature from an online system. Does anyone here have experience with that? I do not trust any online system. Seem to be a bit biased by the Armory Security Concept.

Sorry for posting it here. If you know the best place to discuss these things please let me know.
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
June 18, 2014, 12:41:57 PM
 #3783

I have a question which is slightly off topic but I assume someone here will have an answer for this and Google did not give me an answer so far:

I am using Kleopatra for all things PGP. I have tried other Windows PGP tools as well. I want to know how I can publically sign someone’s key on a keyserver without ever taking the key onto an online system. I can sign/encrypt files and text offline and then transfer them away from the offline system. I would also like to be able to sign a key offline and then broadcast the signature from an online system. Does anyone here have experience with that? I do not trust any online system. Seem to be a bit biased by the Armory Security Concept.

Sorry for posting it here. If you know the best place to discuss these things please let me know.


Your answer will lie in the gpg command line which is included

Corelianer
Full Member
***
Offline Offline

Activity: 309
Merit: 100



View Profile
June 18, 2014, 12:55:31 PM
 #3784

If you trust certain posts you can skip to the hash of a file

Skip that Damn properties window and use hashtab

Armoryqt.exe

CRC32: 12984228
MD5: 52ff671b60d877ed2d82f04539c9fd88
SHA-1: a543edd804124bc137c5f8e130b0b99713dc75bb
SHA-256: 82b7e487121fd3cd61f2103debd269eef74b959089a0fe547c4cb40f5b24b779

I use the hash-values too, but the values are only published for the installer not for the installed files.
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
June 18, 2014, 01:19:05 PM
 #3785

If you trust certain posts you can skip to the hash of a file

Skip that Damn properties window and use hashtab

Armoryqt.exe

CRC32: 12984228
MD5: 52ff671b60d877ed2d82f04539c9fd88
SHA-1: a543edd804124bc137c5f8e130b0b99713dc75bb
SHA-256: 82b7e487121fd3cd61f2103debd269eef74b959089a0fe547c4cb40f5b24b779

I use the hash-values too, but the values are only published for the installer not for the installed files.

We can get consensus among each other

etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
June 18, 2014, 05:04:04 PM
 #3786

Wow, I missed out on some fun discussions.  Let me clarify how this works, and what Armory has done (and failed to do).

  • You can use openSSL to generate your own SSL certificate (offline if you want), and send just the [effective] public key to the CA for signing.  In this way, the private part of your certificate can be protected in exactly the same way as we do GPG.
  • The certificate provider/signer will verify your identity before they sign any certificate claiming "Joe's Fish Shop" is the provider of this software.
  • A single compromised CA cert could be used to impersonate just about anything.  Your system trusts any number of probably 100 certificate roots, and a signature from any one of them pretty much gives the green light, unless you are manually inspecting the certificate chain and know that certain certs are lower security and/or compromised.  It's the job of the OS and the browsers to track which CAs are still trustworthy and help update your CA lists to make sure that any compromised providers are no longer trusted.
  • The MS/authenticode system is not good for verifying specific certificates.  Ideally, for high-security apps, the publisher would publish their public cert and everyone would verify that the signatures from that cert, though it's a bit of work to do this.  Instead, they just check whether there's any valid certificate chain and shows you "Yes/No" that the signature is valid.
  • For this reason, I don't care much for Authenticode-signed certs.  They avoid the unsightly "Unknown Publisher" when you go to run the installer, but that can be a false sense of security.
  • I stand by the notion that the GPG signatures are the most secure.  Our offline GPG fingerprint is everywhere, and it's simple to check via command-line.  It's also easy to integrate into our release scripts.
Here's what Armory has done to this point:

  • I have a Class 2 object code signing certificate, signed by StartCom.  Though at this point it might be expired.  However, it is in my name ("Alan Reiner")
  • Getting a cert associated with the company requires quite a bit of ID verification work, including supplying tax returns.  We haven't been keen to do this, though I suspect we will at some point.  This would be needed for it to show "Armory Technologies, Inc." on the "Verified Publisher:" line.
  • Before version 0.90, Armory used my personally-verified cert.  I generated it on an offline windows machine, and integrated an three extra steps into my release process to make sure the windows installers made it to that machine for authenticode signing before going to the offline Linux box for GPG signing.  This is quite a pain ... you can't sign afterwords or else the GPG hashes/sigs break.
  • There is technically a way to do this in linux, but it didn't work with the type of .exe I was signing.  I was left with no choice but to use a dedicated offline Windows box
.
  • Before version 0.90, I did go through with all this.  You should be able to run the 0.88 installers and see my name as the verified publisher
  • Since version 0.90, we have been using NSIS to package up our installers.  The signing process that I previously used no longer works.  I believe it has to do with the chained installer architecture:  the outer shell of the installer is signed, but it's only purpose is to unpack the real installer and run it... which is not (easily) signed.  This means that if you take the .exe posted on the website (if it were signed this way), you could view its properties in Windows and see the signature is there.  But when you run it, you still see "Unknown Publisher."

With all this in mind, I hope you'll forgive me that I wasn't excited about going through a lot of work, to provide what I felt was less security than the GPG sig, and complicates the heck out of my signing&release process.  Is it useless?  Not exactly.  But I'm comfortable with the idea that the user either checks the GPG sig and knows it's good, or they don't and know it's not verified. 

However, it is possible that the new installer format works with linux authenticode tools, so that it could be easily integrated into the release process.  If anyone wants to try that out for us and provide a recipe for doing it, I will take a shot at it.  But I'm not anxious to put a lot effort into what is already a complex and inconvenient process (low convenience but high security!).


Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
SimonBelmond
Full Member
***
Offline Offline

Activity: 226
Merit: 100



View Profile
June 18, 2014, 05:47:20 PM
 #3787

I have a question which is slightly off topic but I assume someone here will have an answer for this and Google did not give me an answer so far:

I am using Kleopatra for all things PGP. I have tried other Windows PGP tools as well. I want to know how I can publically sign someone’s key on a keyserver without ever taking the key onto an online system. I can sign/encrypt files and text offline and then transfer them away from the offline system. I would also like to be able to sign a key offline and then broadcast the signature from an online system. Does anyone here have experience with that? I do not trust any online system. Seem to be a bit biased by the Armory Security Concept.

Sorry for posting it here. If you know the best place to discuss these things please let me know.


Your answer will lie in the gpg command line which is included

THX for the hint. I will dig into that.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
June 18, 2014, 05:59:47 PM
 #3788

Sometimes it feels like you used the "time remaining" algorithm from Windows 95, such as when the database rebuild progress displays 1.5 minutes remaining for 10 minutes.
etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
June 18, 2014, 06:03:51 PM
 #3789

Sometimes it feels like you used the "time remaining" algorithm from Windows 95, such as when the database rebuild progress displays 1.5 minutes remaining for 10 minutes.

One thing I've learned over the course of building Armory is that those time-remaining bars are very difficult to get right.  Especially when it comes to things like downloading data that fluctuates in speed rapidly.   I have an extensive background in signal processing, yet I still can't get it right.

On the other hand ,there is a flaw in my algorithm -- it seems to use CPU-timings instead of wall-timings.  Typically this results in the system reporting that it took 2 sec to move 1% of the bar, instead of 3.2 or whatever.  This leads to very optimistic estimates.  I've been meaning to go in and figure out what is causing that, but I haven't had it on my priority list for a while.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
June 18, 2014, 06:20:45 PM
 #3790

On the other hand ,there is a flaw in my algorithm -- it seems to use CPU-timings instead of wall-timings.
That might explain why the estimates are grossly inaccurate on an IO-bound virtual machine.

I just experienced a 31 minute wait to start up, when it had less than 3 days worth of new blocks to process.

"Time Remaining" never exceeded 2 minutes.

KrakenTrader
Member
**
Offline Offline

Activity: 102
Merit: 10


View Profile
June 19, 2014, 12:12:21 AM
 #3791

Hi

I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS )
When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version
I simply installed  Armory 0.91.1 over 0.91.2, and it worked.

My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?

Thanks for clarification.
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
June 19, 2014, 02:02:07 AM
 #3792

Hi

I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS )
When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version
I simply installed  Armory 0.91.1 over 0.91.2, and it worked.

My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?

Thanks for clarification.


No unless wallet has a new version and you created a new one

You should use 912 tho it's not unstable as it says

etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
June 19, 2014, 02:25:26 AM
 #3793

Hi

I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS )
When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version
I simply installed  Armory 0.91.1 over 0.91.2, and it worked.

My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?

Thanks for clarification.


No unless wallet has a new version and you created a new one

You should use 912 tho it's not unstable as it says

Bummer!  When I updated the torrent and re-signed the installer hashes, I accidentally left the "Testing (Unstable)" on 0.91.2 which is what is shown in the secure downloader.  I'll have to fix that.

On the other hand, it's listed on our website as the latest stable version.  So there's that...

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
KrakenTrader
Member
**
Offline Offline

Activity: 102
Merit: 10


View Profile
June 19, 2014, 08:51:09 AM
 #3794

Hi

I upgraded from Armory 0.90 directly to 0.91.2, all went fine ( on a win 8.1 64bit OS )
When I realized that 0.91.2 is the "Armory Testing (unstable) 0.91.2" version
I simply installed  Armory 0.91.1 over 0.91.2, and it worked.

My question is, will I run into any issues because I installed an older version 0.91.1 over the newer one 0.91.2 ?

Thanks for clarification.


No unless wallet has a new version and you created a new one

You should use 912 tho it's not unstable as it says

Bummer!  When I updated the torrent and re-signed the installer hashes, I accidentally left the "Testing (Unstable)" on 0.91.2 which is what is shown in the secure downloader.  I'll have to fix that.

On the other hand, it's listed on our website as the latest stable version.  So there's that...


I just updated to 0.91.2 - thank you bitpop and etotheipifor for fast clarification, all is fine now.

Another question about the new Wallet Consistency Check: xx%  
What exactly is being checked here at this point? - Wallet Consistency Check finishes quite fast in around 30 seconds here.
Thanks
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
June 19, 2014, 01:14:55 PM
 #3795

Consistency makes sure that your addresses were all generated from the root key to make sure you can generate the private key

plethora
Member
**
Offline Offline

Activity: 113
Merit: 10



View Profile
June 22, 2014, 04:37:20 PM
 #3796

I'm using Armory 0.91.1 on Windows 8.1 to download 0.91.2 (Testing unstable) 64-bit for Ubuntu 14.04 using Secure Downloader. When checking "Save with offline-verifiable signature" the file is saved as:
Code:
armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe,
I didn't expect an exe file and it looks weird ending with a comma.

Next I select Verify Signed Package and select the file. I have to manually change to display all file types since there's no *.signed file. Armory asks me if I'd like to overwrite the original file to which I selected Yes. Armory explains that the installer was extracted to the same location (armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe,) however that file is now missing. It seems Armory removed the .exe, file but didn't extract any installer first.

Now I'm back at the Verify Signed Package window where I click "Select file to save to...". Now Armory suggests a file name of armory_0.91.2-rc1_ubuntu-64bit.deb.
etotheipi (OP)
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
June 22, 2014, 04:44:20 PM
 #3797

I'm using Armory 0.91.1 on Windows 8.1 to download 0.91.2 (Testing unstable) 64-bit for Ubuntu 14.04 using Secure Downloader. When checking "Save with offline-verifiable signature" the file is saved as:
Code:
armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe,
I didn't expect an exe file and it looks weird ending with a comma.

Next I select Verify Signed Package and select the file. I have to manually change to display all file types since there's no *.signed file. Armory asks me if I'd like to overwrite the original file to which I selected Yes. Armory explains that the installer was extracted to the same location (armory_0.91.2-rc1_ubuntu-64bit.deb.signed.exe,) however that file is now missing. It seems Armory removed the .exe, file but didn't extract any installer first.

Now I'm back at the Verify Signed Package window where I click "Select file to save to...". Now Armory suggests a file name of armory_0.91.2-rc1_ubuntu-64bit.deb.

I'll make sure to give this some TLC before the next release.  Obviously the comma is an error.  And obviously it should show you .exe/.deb/etc in the file select dialog.  Also, try clicking "No" for overwriting and then click the button on the small dialog to specify where to save it.   

EDIT:  I just tested this on my linux box, and I didn't run into either problem.  When you do the download originally, it asks you where you want to save it.  Are you sure you didn't accidentally type a comma in there?  And you didn't see it on the list because of the comma -- it definitely shows you all ".signed" files, but not ".signed," files (with a comma).

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
plethora
Member
**
Offline Offline

Activity: 113
Merit: 10



View Profile
June 23, 2014, 03:43:29 AM
 #3798

I'm sure I didn't accidentally typed the comma since I've double and triple checked. I have now upgraded to 0.91.2 on Windows and tried the same procedure, saving the Ubuntu installer with offline-verifiable signature and get the same .exe, file name suggested by Armory.
If I keep the "offline-verifiable signature" checkbox unchecked, the file is by default saved as:
Code:
armory_0.91.2-rc1_ubuntu-32bit.deb

I haven't tested the downloader on Ubuntu since that computer is offline Wink
flipperfish
Sr. Member
****
Offline Offline

Activity: 350
Merit: 251


Dolphie Selfie


View Profile
June 23, 2014, 07:01:42 PM
 #3799

I'm sure I didn't accidentally typed the comma since I've double and triple checked. I have now upgraded to 0.91.2 on Windows and tried the same procedure, saving the Ubuntu installer with offline-verifiable signature and get the same .exe, file name suggested by Armory.
If I keep the "offline-verifiable signature" checkbox unchecked, the file is by default saved as:
Code:
armory_0.91.2-rc1_ubuntu-32bit.deb

I haven't tested the downloader on Ubuntu since that computer is offline Wink

I can confirm this behavior. I just tried the Secure Downloader on Windows 7 x64 in Armory 0.91.2-beta and the filename proposed in the "Save as..." dialouge was "armory_0.91.2-rc1_winAll.exe.signed.exe,". Without the "offline-verifiable signature" checkbox it's "armory_0.91.2-rc1_winAll.exe".
Rampion
Legendary
*
Offline Offline

Activity: 1148
Merit: 1018


View Profile
June 24, 2014, 08:53:50 AM
 #3800

Two questions:

a) any plans to make available an offline bundle for Ubuntu 12.04.4?
b) are the offline bundles for 10.04 deprecated? Should we update our offline systems to 12.04?

Pages: « 1 ... 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 [190] 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!