Secure download of bitcoin core fails (signature).

[picobit]

Hi,

I just tried upgrading Armory and Bitcoin Core using Armory's secure download.  The download of the new version of Armory went well, but downloading Bitcoin Core failed with this error:

The download completed but its cryptographic signature is invalid. Please try the download again. If you get another error, please report the problem to support@bitcoinarmory.com.

The downloaded data has been discarded.

The error comes immediately, almost as if nothing is downloaded.  So I assume that this is an error in the downloader.  Running Armory 0.92.2.

Finally, I should note that although I am still running OS X 10.9.5 I tried to download the version for OSX 10.10 as that was the only one available, and as the official version does not care about the exact OS X version (I assume Armory gives me the official build).  Also, for Armory itself I downloaded for 10.9.4 as there is no 10.9.5 option at all.

EDIT: Tried again with the newly installed Armory 0.92.3: Same error.

[btchris]

It does indeed look like the OS X download link in Armory is wrong.

You can view the download links Armory uses here: https://s3.amazonaws.com/bitcoinarmory-media/dllinks.txt
The link for OS X on that list points here: https://bitcoin.org/bin/0.9.3/bitcoin-0.9.3-osx.dmg
However the correct link is this: https://bitcoin.org/bin/0.9.3/bitcoin-0.9.3-macosx.dmg
Close, but no cigar.

In their defense, it looks like it used to be the correct link, but then the link was changed post launch: https://github.com/bitcoin/bitcoin.org/commit/5ebee77e56222d717ffc3606b8ed6c8c3687e384

Of course you can always download it yourself; other than that we'll need to wait for a kind Armory dev to fix this (which happily won't require a new version of Armory I believe).

[picobit]

Thanks for your reply!

Yes, I have already downloaded it myself.  Of course, in principle I now should check that the PGP signature used to sign it is actually the one belonging to the person it claims to belong to, and that he is actually the person that should be signing bitcoin core.  If Armory can do that work for me, I can remain lazy. 

[etotheipi]

Ack.  Good catch.  I tend to check all the new downloads before pushing (or immediately after) version updates to make sure it was all smooth.  It seems I actually did it right but they pulled the rug out from under me... thanks for finding that commit that changed and vindicating me from fault

It will be updated soon.  Until then, you can still use the secure-downloader to confirm, just not execute the full download:

• In the secure downloader, select the OSX package, and instead of clicking "Download", click "Download Info".  You'll see the (incorrect) download link and the hash that Armory Tech has pre-verified and signed.
• Go to the bitcoin.org website and download the file from there (or just use the link posted, such as here:  
  https://bitcoin.org/bin/0.9.3/bitcoin-0.9.3-macosx.dmg
• In the terminal, you can shasum -a256 bitcoin*.dmg.  This should give you the same hash that is shown in Armory

[btchris]

Ack.  Good catch.  I tend to check all the new downloads before pushing (or immediately after) version updates to make sure it was all smooth.  It seems I actually did it right but they pulled the rug out from under me... thanks for finding that commit that changed and vindicating me from fault

Looks like they changed it two days after initially posting it. Your only fault was updating the Armory links too quickly after release