Author

Topic: Issues with "Verifying Source Code Authenticity" (Read 852 times)

legendary
Activity: 3794
Merit: 1375
Armory Developer
I always feel uneasy about the fact that so much money has to depend on MIT's server working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authetication Roll Eyes

Sounds like a job for Namecoin!
hero member
Activity: 784
Merit: 1000
I always feel uneasy about the fact that so much money managed with Armory has to depend on some keyservers working properly and uninfilitrated, wonder if there is a way we can employ blockchain itself for further authentication Roll Eyes
newbie
Activity: 23
Merit: 0
Thank all of you that cleared this up.  Your replies were all a huge help.
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Thank you for the help.  I appreciate it.

When you say, "you need to up the trust level" what exactly does that mean?  Can you point me in the right direction for upping the trust level?

Thanks Again!

Since GPG has no certificate authorities who check IDs, GPG is especially paranoid about making sure you trust the source of the public keys.  The idea was to have a huge web of trust of people checking each others' IDs, so that you always have a trusted signature on a new key for someone you don't know.  If there are no trusted signatures, then it complains that it doesn't trust it, and it could've been replaced by an attacker's key.  Or rather, before it trusts it, you have to explicitly tell GPG that you trust it and have verified it's the correct key. 

Of course you don't know that for sure, except that it would've been tough for an attacker to replace all instances of the key and fingerprints you are exposed to, and all the downloads/installers that are signed with it.  In general, for most users, getting the key from the keyserver is sufficient.  If you are holding millions of dollars and consider yourself to be a target, you might do more paranoid checks.

So the real answer to your question is:  you actually already did it.  It says:

Quote
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) <[email protected]>"
...

It verifies the signature matches the key, it's just complaining that you've done nothing to identify you actually trust that key.  If you want to set the trust explicity, you can do so from the command line:

Code:
$ gpg --edit-key 98832223
...
gpg> trust
...
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
legendary
Activity: 3794
Merit: 1375
Armory Developer
http://www.gnupg.org/gph/en/manual.html

Checkout the "Trust in a key's owner" section
newbie
Activity: 23
Merit: 0
Thank you for the help.  I appreciate it.

When you say, "you need to up the trust level" what exactly does that mean?  Can you point me in the right direction for upping the trust level?

Thanks Again!
legendary
Activity: 3794
Merit: 1375
Armory Developer
Quote
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) <[email protected]>" 6 new signatures
gpg: no ultimately trusted keys found

gpg: no ultimately trusted keys found

This is the line you care about. You have to up the trust leve of Alan's offline key yourself
newbie
Activity: 23
Merit: 0
I'm trying to verify the source code from Armory, and am getting errors.  Any help would be appreciated.  Please see the steps below for what I
 have done to this point.

Steps

Code:
git clone git://github.com/etotheipi/BitcoinArmory.git

Code:
cd BitcoinArmory

Code:
gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223

Output from the above command

Code:
gpg: requesting key 98832223 from hkp server keyserver.ubuntu.com
gpg: key 98832223: "Alan C. Reiner (Offline Signing Key) " 6 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:         new signatures: 6

Next Steps

Code:
git tag -v v0.90-beta

Output from the above command

Code:
tagger Armory Technologies, Inc 1385490661 -0500

RAM-Reduction, Backup Center & Msg Signing
gpg: Signature made Tue 26 Nov 2013 01:31:01 PM EST using RSA key ID 98832223
gpg: Good signature from "Alan C. Reiner (Offline Signing Key) "
gpg:                 aka "Alan C. Reiner (Armory Signing Key) "
gpg:                 aka "Alan C. Reiner (Armory Signing Key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Obviously, I'm doing something wrong, since there's a warning message above.  Can anyone help me please?

OS
Ubuntu 12.04

Thank you in advance!
Jump to: