Author

Topic: Bad signature for *.deb files in bitcoinarmory.com (Read 1218 times)

legendary
Activity: 3752
Merit: 1364
Armory Developer
hero member
Activity: 894
Merit: 501
1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)

2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file


Thanks. I'm sorry, but I'm still a bit confused about the procedure.

I've downloaded the sha256sum file as you've instructed, but can't find your public key. Would that be something equivalent to Alan's key ID '98832223'? i.e. would I enter the following? 
Code:
$ gpg --recv-keys --keyserver keyserver.ubuntu.com **your key ID**
$ dpkg-sig --verify armory_0.94.1_amd64.deb
legendary
Activity: 3752
Merit: 1364
Armory Developer
Armory uses the same package verification process as Bitcoin Core:

1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)

2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file
hero member
Activity: 894
Merit: 501
What if you're not comfortable compiling from source yourself?

I downloaded the latest version as suggested by knightdk, and when I run the verify:

$ dpkg-sig --verify *.deb


it outputs the folowing:

Processing armory_0.94.0_amd64.deb...


I'm probably too much of a noob to figure out how all this isn't disconcerting
legendary
Activity: 3752
Merit: 1364
Armory Developer
Armory has never had a signed .deb afaik. Our signing process has always been to create the packages, get the sha256 hash, and offline sign those. Think about it, it's a pain to setup a purely offline machine that can build the entire package, let alone do this for all supported OS. It's simpler to offline sign the package hash.
member
Activity: 85
Merit: 10
Got it thank you;

Also cross checked with the github 9.3.3 repo and ended up compiling from source.

I sign offline but I am still paranoid about it.
staff
Activity: 3458
Merit: 6793
Just writing some code
Did you follow the verification instructions at http://www.bitcoinarmory.com/download/? Make sure you have imported Alan's signing key.
legendary
Activity: 1512
Merit: 1012
Armory is changing hands. We are not sure who is running bitcoinarmory.com anymore. goatpig is now the sole developer, you can download Armory here
member
Activity: 85
Merit: 10
I was unable to verify .deb files from bitcoinarmory.com

Processing armory_0.93.3_ubuntu-64bit.deb...
BADSIG _gpgbuilder


How can we securely download and verify the latest version ?

Thank you.
Jump to: