I always feel uneasy about the fact that so much money has to depend on MIT's server working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authetication 
Sounds like a job for Namecoin!
Topic: Issues with "Verifying Source Code Authenticity" (Read 842 times)
Sounds like a job for Namecoin!
I always feel uneasy about the fact that so much money managed with Armory has to depend on some keyservers working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authentication
Thank all of you that cleared this up. Your replies were all a huge help.
Thank you for the help. I appreciate it.
When you say, "you need to up the trust level" what exactly does that mean? Can you point me in the right direction for upping the trust level?
Thanks Again!
When you say, "you need to up the trust level" what exactly does that mean? Can you point me in the right direction for upping the trust level?
Thanks Again!
Since GPG has no certificate authorities who check IDs, GPG is especially paranoid about making sure you trust the source of the public keys. The idea was to have a huge web of trust of people checking each others' IDs, so that you always have a trusted signature on a new key for someone you don't know. If there are no trusted signatures, then it complains that it doesn't trust it, and it could've been replaced by an attacker's key. Or rather, before it trusts it, you have to explicitly tell GPG that you trust it and have verified it's the correct key.
Of course you don't know that for sure, except that it would've been tough for an attacker to replace all instances of the key and fingerprints you are exposed to, and all the downloads/installers that are signed with it. In general, for most users, getting the key from the keyserver is sufficient. If you are holding millions of dollars and consider yourself to be a target, you might do more paranoid checks.
So the real answer to your question is: you actually already did it. It says:
Quote
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <[email protected]>"
...
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <[email protected]>"
...
It verifies the signature matches the key, it's just complaining that you've done nothing to identify you actually trust that key. If you want to set the trust explicity, you can do so from the command line:
Code:
$ gpg --edit-key 98832223
...
gpg> trust
...
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
...
gpg> trust
...
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Thank you for the help. I appreciate it.
When you say, "you need to up the trust level" what exactly does that mean? Can you point me in the right direction for upping the trust level?
Thanks Again!
When you say, "you need to up the trust level" what exactly does that mean? Can you point me in the right direction for upping the trust level?
Thanks Again!
Quote
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <[email protected]>" 6 new signatures
gpg: no ultimately trusted keys found
gpg: no ultimately trusted keys found
gpg: no ultimately trusted keys found
This is the line you care about. You have to up the trust leve of Alan's offline key yourself
I'm trying to verify the source code from Armory, and am getting errors. Any help would be appreciated. Please see the steps below for what I
have done to this point.
Steps
Output from the above command
Next Steps
Output from the above command
Obviously, I'm doing something wrong, since there's a warning message above. Can anyone help me please?
OS
Ubuntu 12.04
Thank you in advance!
have done to this point.
Steps
Code:
git clone git://github.com/etotheipi/BitcoinArmory.git
Code:
cd BitcoinArmory
Code:
gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223
Output from the above command
Code:
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key)" 6 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new signatures: 6
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key)
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new signatures: 6
Next Steps
Code:
git tag -v v0.90-beta
Output from the above command
Code:
tagger Armory Technologies, Inc 1385490661 -0500
RAM-Reduction, Backup Center & Msg Signing
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key)"
gpg: aka "Alan C. Reiner (Armory Signing Key)"
gpg: aka "Alan C. Reiner (Armory Signing Key)"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
RAM-Reduction, Backup Center & Msg Signing
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key)
gpg: aka "Alan C. Reiner (Armory Signing Key)
gpg: aka "Alan C. Reiner (Armory Signing Key)
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Obviously, I'm doing something wrong, since there's a warning message above. Can anyone help me please?
OS
Ubuntu 12.04
Thank you in advance!
Jump to: