Topic: How can I verify Armory binaries (like I can Bitcoin Core / Gitian)? (Read 1077 times)

Just to be clear, I'm not entirely certain if the Gitian/deterministic material will be ready in time for the first test build. We're still ironing out a couple of kinks and setting up a repo for sigs. I'm pretty sure it'll all be ready relatively soon, maybe just not in time for the first test build or two.

I tried gpg verifying following instructions in the download page for ubuntu:

Processing armory_0.85-beta_amd64.deb...
> GOODSIG _gpgbuilder 821F122936BDD565366AC36A4AB16AEA98832223 1353699840  <.....    this line not showing, only the previous one for ubuntu- Is it Ok ?

Hopefully the first testing builds for 0.94 will be available sometimes next week.

When is 0.94 (with reproducable builds for Linux and Raspberry Pi) due approximately? Are we talking 3 weeks, 3 months, or longer?

I can confirm that Joseph is interning for Armory. If you look under the Armory pull requests on Github, you'll see several that Joseph authored and I pulled in to various branches. (2-3 are still waiting to be pulled once some issues are resolved.)

I can prove that doug_armory works for Armory, but I can't prove that I do. If you look at the last person before the advisors on the about page on the Armory website, you will see Doug's name and near it is the text doug_armory with a link to his bitcointalk profile.

I'm interning under Doug's supervision. It appears that I am not listed on the about page, so I can't use that to prove I work for Armory. Maybe Doug or someone can state that I work for Armory, but you still might not trust them just because they themselves work for Armory. On GitHub, under the pull requests section, you will find a lot of closed pull requests from me, meaning that the code was merged into Armory, but that doesn't necessarily mean that I work for Armory, because some open source projects accept contributions from outside contributors. And still, there is nothing linking the GitHub account josephbisch to this bitcointalk account josephbisch.

Can you and Joseph somehow prove that you are indeed working for Armory? I hope you understand. You know how it is. On forums, everyone can claim to be anyone.

Hello. Joseph is pretty much on point. He's been doing a fantastic job organizing this project. I think we'll have something ready for certain 0.94 builds. It depends on nailing down the last few details. If not, maybe 0.94.1? This is important stuff, and we really want to make sure it's nailed down before telling people they can use it.

As mentioned, OSX and Windows will have to wait awhile. They depend on some technical upgrades we've been exploring and will eventually upgrade into the mainline. As they said back in the 60s, stay tuned, Bat-fans!

We are working on reproducible builds for Armory. The goals are Linux deb packages and a Raspberry Pi package for the next version of Armory (0.94). Right now the only way to be 100% certain that the binaries came from the source code is to build Armory from source yourself. After the reproducible builds exist, you will be able to verify the signatures of people you trust to be sure that the binaries came from the source code without needing to build Armory yourself. You will also be able to follow the reproducible build process to make your own build and sign off on it, so that people that trust you can verify your signature.

The Raspberry Pi package uses Gitian, but the Linux deb packages will use a script that uses the Debian Reproducible Toolchain. We will have instructions for reproducible builds using both systems. The Debian Reproducible Toolchain produces a buildinfo file instead of an assert file, but the idea is more or less the same.

It looks like 0.94 will just be using the signatures to verify that multiple people were able to get the same hash of the binaries. Only if a certain number of signatures are correct will the usual signing process continue. There will probably be a separate repository for signatures, like the Bitcoin gitian.sigs repo, so that ambitious users can verify the signatures themselves.

It seems like the ultimate goal is to have the Secure Downloader (that is part of Armory) verifying the signatures of multiple ATI employees, so that there is not a single computer doing the build and a single key signing the builds. But that won't happen for 0.94.

Work is also being done for OS X and Windows using Gitian. But those definitely won't be a part of 0.94.

Let me know if you have any more you want to know about this. Hopefully we will have 0.94 testing releases soon and then people will be able to try out the reproducible build process.

This is not what I'm asking about.

I'm looking for a way to prove that the binaries they provide actually come from the source code they're supposed to be coming from. Bitcoin Core does this through Gitian. https://gitian.org

You can download the signed hash file and their signing key from the downloads page here: https://bitcoinarmory.com/download/. Using GPG, you can verify the signed file and take to checksums of the other downloads and see if they match the hashes that they signed.

And if I can't, can I really trust Armory?