Someone just asked me how to verify the digital signatures on the above packages.
I don't know how to do this in Windows without installing bloat-y software. But it's built-in, in Linux, and it's quite easy. And once you have the Armory public key downloaded and imported to your offline computer, it's one command to verify the signatures.
NOTE: if someone knows how to "build-in" a GPG signature into a Windows installer (*.msi file), that would be great. For now, I'm just signing the hash of the .msi file.
Use linux to verify the authenticity of the Armory installers you download- (1) Download the Armory Signing Public Key. It can also be retrieved via a public key server. Just search for "Armory" and you will find it.
- (2) Download the installers you want to verify (links at the bottom of this post). You only need the md5.asc file (signed MD5 hashes) if you want to verify the Windows installer
- (3) Put all the downloaded files onto a USB and take to your offline linux computer (skip this step if you're already in Linux!)
- (4) Go to Applications-->Accessories-->"Passwords and Encryption Keys". Go to File-->Import.... Select the Alan_C_Reiner_ArmorySigningPublic.asc
- (5) VERIFY THE KEY ID: Once the key is imported, click the "Other Keys" tab. You should see: Alan C. Reiner [email protected] 'Armory Signing Key' | 98832223 . Do not continue if it does have 98832223! (backwards, that is 32223889)
Now the key is imported and you can skip the previous steps on future releases. Here's how to verify the *.deb files:
(1) Open a terminal, and navigate to the USB key where the installers are located (probably /media/usbkey or something like that)
(2) To verify the *.deb files, type "
dpkg-sig --verify *.deb". You should see something like this:
/media/usbkey$ dpkg-sig --verify *.deb
Processing armory_0.82.4-1_amd64.deb...
GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1346525528
Processing armory_0.82.4-1_i386.deb...
GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1346525533
The "GOODSIG" is all you need! To verify the windows MD5 hash file, you use regular GPG:
/media/usbkey$ gpg --verify version_0.82.4.md5.asc
gpg: Signature made Sat 01 Sep 2012 02:55:33 PM EDT using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Armory Signing Key) <[email protected]>"
Primary key fingerprint: 821F 1229 36BD D565 366A C36A 4AB1 6AEA 9883 2223
The MD5 file is now confirmed to be legitimate. The last thing is to make sure the .msi file has the same hash as is listed in the .md5.asc we just verified:
/media/usbkey$ md5sum *.msi
e3fa56fee145986bace4f51199778005 armory_0.82.4-alpha_win32_and_win64.msi
If you open the md5.asc file, you will see the hashes for each of the files:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
213c76e709c5cb6e80980a6f7bd4dca0 armory_0.82.4-1_amd64.deb
9602fd85514b247d55bc6c19f076860f armory_0.82.4-1_i386.deb
e3fa56fee145986bace4f51199778005 armory_0.82.4-alpha_win32_and_win64.msi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJQQlolAAoJEEqxauqYgyIjsFEP/36qGu0/ZbBFt8nQc3XBVDnp
...
-----END PGP SIGNATURE-----
Here's the download links:
http://dl.dropbox.com/u/1139081/ArmoryTestingReleases/armory_0.82.4-alpha_win32_and_win64.msihttp://dl.dropbox.com/u/1139081/ArmoryTestingReleases/armory_0.82.4-1_amd64.debhttp://dl.dropbox.com/u/1139081/ArmoryTestingReleases/armory_0.82.4-1_i386.debSigned MD5 hashes (mainly for Windows; the *.deb files have the signatures built-in)
