Question on Verifying Armory Installers

[25hashcoin]

I am attempting to verify Armory installers. I have had success with this before but am having an issue now.

After I finally enter command: "$ sudo apt-get install dpkg-sig"

...it outputs this:

"Reading package lists... Done
Building dependency tree       
Reading state information... Done
dpkg-sig is already the newest version.
The following package was automatically installed and is no longer required:
  linux-image-generic
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 18 not upgraded."


...instead of what is usually expected.


Not sure what to do here.

[1714720537]

1714720537

[1714720537]

1714720537

[1714720537]

1714720537

[1714720537]

1714720537

[josephbisch]

The command sudo apt-get install dpkg-sig uses apt-get to install the program dpkg-sig. The output you get indicates that dpkg-sig is already installed. Just proceed to the next step of whatever you are doing.

[25hashcoin]

The command sudo apt-get install dpkg-sig uses apt-get to install the program dpkg-sig. The output you get indicates that dpkg-sig is already installed. Just proceed to the next step of whatever you are doing.

I tried going to the next step and entering command

Code:

dpkg-sig --verify *.deb

But I get this output:

Code:

Processing armory_0.92.2-testing_ubuntu-64bit.deb...
Processing libqt4-designer_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqt4-help_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqt4-scripttools_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqt4-test_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqtassistantclient4_4.6.3-3ubuntu2_amd64.deb...
Processing libqtwebkit4_2.2.1-1ubuntu4_amd64.deb...
Processing python-psutil_0.4.1-1ubuntu1_amd64.deb...
Processing python-pyasn1_0.0.11a-1ubuntu1_all.deb...
Processing python-qt4_4.9.1-2ubuntu1_amd64.deb...
Processing python-sip_4.13.2-1_amd64.deb...
Processing python-twisted_11.1.0-1ubuntu2_all.deb...
Processing python-twisted-conch_11.1.0-1_all.deb...
Processing python-twisted-lore_11.1.0-1_all.deb...
Processing python-twisted-mail_11.1.0-1_all.deb...
Processing python-twisted-news_11.1.0-1_all.deb...
Processing python-twisted-runner_11.1.0-1_amd64.deb...
Processing python-twisted-words_11.1.0-1_all.deb...

with no "GOODSIG" line...

[josephbisch]

Did you download the key first?

Code:

gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223

I get the following output:

Code:

joseph@crunchbang:~/downloads$ dpkg-sig --verify *.deb
Processing armory_0.92.2-testing_ubuntu-64bit.deb...
GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1409083814
Processing libdvdcss2_1.2.13-0_amd64.deb...

[etotheipi]

I am attempting to verify Armory installers. I have had success with this before but am having an issue now.

After I finally enter command: "$ sudo apt-get install dpkg-sig"

...it outputs this:

"Reading package lists... Done
Building dependency tree      
Reading state information... Done
dpkg-sig is already the newest version.
The following package was automatically installed and is no longer required:
  linux-image-generic
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 18 not upgraded."


...instead of what is usually expected.


Not sure what to do here.

That's the command for installing dpkg-sig.  Not running it.

Run "dpkg-sig --verify *.deb"

[25hashcoin]

I am attempting to verify Armory installers. I have had success with this before but am having an issue now.

After I finally enter command: "$ sudo apt-get install dpkg-sig"

...it outputs this:

"Reading package lists... Done
Building dependency tree      
Reading state information... Done
dpkg-sig is already the newest version.
The following package was automatically installed and is no longer required:
  linux-image-generic
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 18 not upgraded."


...instead of what is usually expected.


Not sure what to do here.

That's the command for installing dpkg-sig.  Not running it.

Run "dpkg-sig --verify *.deb"

I get the output I mentioned in post #3:

(No "GOODSIG" line)

Code:

Processing armory_0.92.2-testing_ubuntu-64bit.deb...
Processing libqt4-designer_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqt4-help_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqt4-scripttools_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqt4-test_4.8.1-0ubuntu4.8_amd64.deb...
Processing libqtassistantclient4_4.6.3-3ubuntu2_amd64.deb...
Processing libqtwebkit4_2.2.1-1ubuntu4_amd64.deb...
Processing python-psutil_0.4.1-1ubuntu1_amd64.deb...
Processing python-pyasn1_0.0.11a-1ubuntu1_all.deb...
Processing python-qt4_4.9.1-2ubuntu1_amd64.deb...
Processing python-sip_4.13.2-1_amd64.deb...
Processing python-twisted_11.1.0-1ubuntu2_all.deb...
Processing python-twisted-conch_11.1.0-1_all.deb...
Processing python-twisted-lore_11.1.0-1_all.deb...
Processing python-twisted-mail_11.1.0-1_all.deb...
Processing python-twisted-news_11.1.0-1_all.deb...
Processing python-twisted-runner_11.1.0-1_amd64.deb...
Processing python-twisted-words_11.1.0-1_all.deb...

[25hashcoin]

May have found part of the issue. I am trying to verify the .deb included in the offline bundle. I tried verifying the standard (not offline bundle) .deb Armory download and it worked. Does this make sense? I'm a bit lost. Can someone tell me how to verify the offline bundle and is there a way to do that offline?

[25hashcoin]

May have found part of the issue. I am trying to verify the .deb included in the offline bundle. I tried verifying the standard (not offline bundle) .deb Armory download and it worked. Does this make sense? I'm a bit lost. Can someone tell me how to verify the offline bundle and is there a way to do that offline?

Anyone? How do I verify the Offline Bundle?

[etotheipi]

Sorry, forgot to respond.  You're actually right:  the other .deb files do not have digital signatures, so you shouldnt' expect any output for them.  It's the armory*.deb files that have signatures, and my script is supposed to sign them before putting them into the offline bundle.

Therefore, you should only need to run "dpkg-sig --verify armory*.deb" to verify the armory installer is legit.  If not, you can always download the armory installer separately and verify it and put it into the bundle (but this shouldn't be necessary unless my bundling script is botched).

[josephbisch]

When I got it to work, I was using the online version. Now, when I try with the offline bundle, I also can't verify it.

Code:

joseph@crunchbang:~/downloads/OfflineBundle$ dpkg-sig --verify armory_0.92.2-testing_ubuntu-64bit.deb 
Processing armory_0.92.2-testing_ubuntu-64bit.deb...

[etotheipi]

When I got it to work, I was using the online version. Now, when I try with the offline bundle, I also can't verify it.

Code:

joseph@crunchbang:~/downloads/OfflineBundle$ dpkg-sig --verify armory_0.92.2-testing_ubuntu-64bit.deb 
Processing armory_0.92.2-testing_ubuntu-64bit.deb...

Okay, it sounds like my script is putting the armory*.deb file into the offline bundle before signing it.  This might be related to the RPi bundle which I also know I fixed, but doesn't seem to have made it into the latest release.  Sorry for the inconvenience!

For now, download armory*.deb, verify it, and then copy it into the offline bundle directory (overwrite the existing .deb).  Or verify using the signed hash file, which does contain the hashes of the bundle tar.gzs.  Instructions for that are on the website download page.

I'm thinking of changing this whole thing so that there is only regular releases (which seem to be done correctly), and then have a bunch of "offline-setup-packs" that can be installed one time for the offline computer, one for each linux distribution.  It would be easier than re-creating every bundle for every release, though it's extra steps for the first-time user -- it's probably worth the tradeoff (especially because I can offer a wider array of offline bundles)