https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys
You can find my key here.
Topic: Bad signature for *.deb files in bitcoinarmory.com (Read 1194 times)
1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)
2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file
2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file
Thanks. I'm sorry, but I'm still a bit confused about the procedure.
I've downloaded the sha256sum file as you've instructed, but can't find your public key. Would that be something equivalent to Alan's key ID '98832223'? i.e. would I enter the following?
Code:
$ gpg --recv-keys --keyserver keyserver.ubuntu.com **your key ID**
$ dpkg-sig --verify armory_0.94.1_amd64.deb
Armory uses the same package verification process as Bitcoin Core:
1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)
2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file
1) Check the sig on sha256sum file vs my public key (https://github.com/goatpig/BitcoinArmory/releases/download/v0.94.1/sha256sum.asc.txt)
2) Hash the package you want to check, verify the hash and file name match what's in the signed sha256sum file
What if you're not comfortable compiling from source yourself?
I downloaded the latest version as suggested by knightdk, and when I run the verify:
$ dpkg-sig --verify *.deb
it outputs the folowing:
Processing armory_0.94.0_amd64.deb...
I'm probably too much of a noob to figure out how all this isn't disconcerting
I downloaded the latest version as suggested by knightdk, and when I run the verify:
$ dpkg-sig --verify *.deb
it outputs the folowing:
Processing armory_0.94.0_amd64.deb...
I'm probably too much of a noob to figure out how all this isn't disconcerting
Armory has never had a signed .deb afaik. Our signing process has always been to create the packages, get the sha256 hash, and offline sign those. Think about it, it's a pain to setup a purely offline machine that can build the entire package, let alone do this for all supported OS. It's simpler to offline sign the package hash.
Got it thank you;
Also cross checked with the github 9.3.3 repo and ended up compiling from source.
I sign offline but I am still paranoid about it.
Also cross checked with the github 9.3.3 repo and ended up compiling from source.
I sign offline but I am still paranoid about it.
Did you follow the verification instructions at http://www.bitcoinarmory.com/download/? Make sure you have imported Alan's signing key.
Armory is changing hands. We are not sure who is running bitcoinarmory.com anymore. goatpig is now the sole developer, you can download Armory here
I was unable to verify .deb files from bitcoinarmory.com
Processing armory_0.93.3_ubuntu-64bit.deb...
BADSIG _gpgbuilder
How can we securely download and verify the latest version ?
Thank you.
Processing armory_0.93.3_ubuntu-64bit.deb...
BADSIG _gpgbuilder
How can we securely download and verify the latest version ?
Thank you.
Jump to: