Pages:
Author

Topic: PPA vs. DEB install. Which is better for Armory & Bitcoin Core? (Read 321 times)

legendary
Activity: 3430
Merit: 3080
Quote
But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

Then he went full Kubernets. Never go full Kubernets!

Grin

I still run "bare metal" debian on a raspi 3 (bare plastic? bare play-do!)

The rest of the time, I have 5 copies of Qubes nested inside each other, for a grand total of 35 net proxies!!!! Cheesy (you only need 10TB of RAM for this, I strongly encourage it Grin)
legendary
Activity: 3794
Merit: 1375
Armory Developer
Quote
But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

Then he went full Kubernets. Never go full Kubernets!
legendary
Activity: 3430
Merit: 3080
Successfully imported and verified - wow, this is amazing.  Cool

you could write a little script that does this, it would be a good way to learn that stuff. Once you've updated the online machine's Bitcoin-qt 5+ times, the novelty of how cool gpg and sha256sum are will have worn off, you can return to simplicity with the comfort/satisfaction that you know alot about what's going on when your software is being checked for authenticity. And you also get to debug the script when one of your assumptions turns out to be bad, hurrah!!

none if this ever mattered to me back in the Windows days, I figured that either software worked or it didn't! But once I was in solely in charge of keeping my own money safe, my attitude quickly changed
newbie
Activity: 27
Merit: 3
Successfully imported and verified - wow, this is amazing.  Cool

Thanks so much bob123, Carlton Banks, and PhoenixFire - much appreciated!!
member
Activity: 270
Merit: 36
I'm stuck on how to simply download these .asc files.  If I go to https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys - how do I download these files so that I can import them?  Do I need to create .txt file with this information, and then "gpg --import goatpigs-key.asc.txt"?
Navigate to the github page that has each GPG key i.e. they start with:
Code:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Then click the "Raw" button on the right hand side. Once the page has loaded, Ctrl + S or File > Save as and save the file. Then import as above, but the filenames should be just "goatpig-signing-key.asc" and "laanwj-releases.asc" unless your browser does something strange or you rename them.
newbie
Activity: 27
Merit: 3
I'm stuck on how to simply download these .asc files.  If I go to https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys - how do I download these files so that I can import them?  Do I need to create .txt file with this information, and then "gpg --import goatpigs-key.asc.txt"?
legendary
Activity: 3430
Merit: 3080
Wladimir J van der Laan's signing key:

[snip]

The best would be to confirm this information by looking at other independent sources.
If you trust bitcointalk.org (and its moderators!), you are fine to use it. The best would be still to verify it using other sources.

I think it would be a good idea to start making t-shirts with all sorts of useful GPG keys printed on them... although that comes with it's own problems if any keys on the t-shirt are compromised!!!


but something along those lines could be useful, it's a little more concerning that someone's key that we all rely doesn't get stolen, but gets spoofed somehow instead, and that gets used to perform some kind of theft or attack


gpg is bit confusing

everything about gpg is not going to "click" inside your head the first few times you use it. But once you've used it a hundred times, it makes increasingly more sense.

then, you've got an incredibly powerful tool in your hands, just like you have with Bitcoin Wink
legendary
Activity: 1624
Merit: 2481
You can find keys from multiple persons here: https://bitcointalk.org/verify_pubkeys.txt

This page contains keys from Maxwell, theymos, achow101 and more..

It also contains Wladimir J van der Laan's signing key:

Code:
# Wladimir's signing key 0x01EA5486DE18A882D4C2684590C8019E36C2E964
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFWKlBcBEACgZJd/6LrSgNSVxiyq5N9h0E7zgSHG/ahuWAnWeFtxaxHeukH+
Q2Zq6F8FLbq40PphyroRylMBpzPBcyxjee7mDj1DpJ9ayv6GGPTyQzOImhChEV8p
bA42dvXnB5ju0rPh2GxctbiZZD1kiPH4jlmDIgomvupAj9OFntA5jfkuSFBekZrw
QyZowz/paMBIe24YH2LyaZjC2DqLy8Znh78OfAZxZsWSdZxK5LsbkCE9l8Li3gQa
rxm4aEMBHhvns+s8Ufa47sdJAYAfVnAWb5Dfe4oVFh70PvB8GSGFS9qeib0eEQBD
71c9MN+REDTSOYO2VnUSFbu7IrKsPsClqwfT9KzI/uz5fpHSKdCp5AO7oDZiU36s
LsSOBbukTmFQfVrAniFEZxHLCBufXCsAwp07xtUH9ytbW0Y/eHYlZojoWJJPT//1
cQ/A2Ix/nxbSkSPq8wpCUhBxvTQoU9BXeQIbSy0yUmj5nS+3DR7IK2Q7ACyVClr7
LVQOGxgZhHr9Kq87RDqc1wlvbCxb+KTJQhJySpOVoiaME6jLBzgE7G+5N6IXTK5u
OriOsQwcLdeBu7TPgft79uBYnmYeaNVdovlBB//7H7UvY0kAxAg4NPgK6eYRdzn+
8ZtbntNXi/23RJvzeZJVBqQ7bYt4fjmHmRYrbM4jWKJEoJOE6wzpmELUowARAQAB
tFVXbGFkaW1pciBKLiB2YW4gZGVyIExhYW4gKEJpdGNvaW4gQ29yZSBiaW5hcnkg
cmVsZWFzZSBzaWduaW5nIGtleSkgPGxhYW53akBnbWFpbC5jb20+iQI+BBMBAgAo
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCWKLo+AUJBtq73QAKCRCQyAGe
NsLpZI/uD/sGG/o6nSNFvgnvC9o9k4SK/JHXyupo1VFpVUMCHNb3i6x0a+Dymrua
VsMVCzy85lAaoALQIq3X/3Tjqr8HbE5wzQQ/4XFAZZOwy6ncibgaVX4h3eMdMXm+
kSU1CLP72QRJEPxU89RPMbkxH+VArP/RyP35hec/qX51Ywm8dX5BjB/6Wj03X2sw
wEw9QvGLPmGzXaJrzL8LlHx04Fk1wZ0NorKlffxNSB/NP8NTKEFp0h9e1xvR8Q5q
OxM2ZARLwPK+xxk4povyKRWqxuesh5p1LSDvh+S9Cie3+GD57ZA1dQSjyCaPQZUi
0yZlctyekgK3qEdQKGMva1/AD1trhQbp4mdnNsOjgo+YzJLxPif41nSqelkzDRwH
JYYtIYnDAbO27d97ios+E3H/NXmn5GeCcx2RuBA4V0RTvJHpRlXFJdvV5HShXvTE
UduOr8fCwc7Bi58dWy/YHAjjPsEpSJQEeKo0hgaRrj3pfvLJG9w4AvI/AqeOdxYW
1xhCi+MoIrfMHIYZ3NY65Kz6r2rLLtuR9oy5qOGawDcb3sfAmf3xh6N5RSakDRhF
/9aJtxH6OiyicLUBTt50wgNWYx/3jMjLpPt7EWQgT23qQvNI3s8W702JWPHrPOi7
t8cqGZIhcokW3DPhs4RRW6FLnbp48PhtVRtPAwNwzKKLoEvaQu8fZA==
=2Kph
-----END PGP PUBLIC KEY BLOCK-----


The best would be to confirm this information by looking at other independent sources.
If you trust bitcointalk.org (and its moderators!), you are fine to use it. The best would be still to verify it using other sources.
newbie
Activity: 27
Merit: 3
Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

The first way (gpg --import key.asc) imports an already downloaded key (which is on your hard drive now) into the pgp database.
The second command (gpg --recv-keys XXXXX) pulls the key with  the ID XXXXX from the keyserver you have specified with --keyserver or from the default one of your distro.

It doesn't really matter which way you choose, both have its pros and cons.
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.

oh, ok - thank you for clarifying.  Just to confirm, I found 2 signing keys in goatpig's PublicKey section on github (goatpig-signing-key.asc and laanwj-releases.asc).  I know goatpigs is what I need for armory, but is that the correct key for Wladimir van der Laan for bitcoin core?  (I couldn't find it on laanwj's github).

Thanks so much, gpg is bit confusing - really appreciate this support.
legendary
Activity: 3430
Merit: 3080
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.


this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this
legendary
Activity: 1624
Merit: 2481
Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

The first way (gpg --import key.asc) imports an already downloaded key (which is on your hard drive now) into the pgp database.
The second command (gpg --recv-keys XXXXX) pulls the key with  the ID XXXXX from the keyserver you have specified with --keyserver or from the default one of your distro.

It doesn't really matter which way you choose, both have its pros and cons.
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.



~snip~
"If you install a software using a DEB package, there is no guarantee that the installed software will be updated to a newer version when you run sudo apt update && sudo apt upgrade."
~snip~

I personally don't like PPA's either.

You could theoretically use them and wouldn't have much downsides.
But i would stick with the manual method.
Once you installed it, all you need to upgrade is to download the new .deb-file and run sudo apt-get install ./newDebFile.deb.

The statement is comparing PPA's to the distros repository (installing packages via apt-get install xxx from the official distro repository).
That's not what you are doing currently, you are downloading the .deb files yourself.
member
Activity: 65
Merit: 30
Thank you to all for all of the postings. The link below is the reason why I created this new topic:

https://itsfoss.com/ppa-guide/

Abhishek Prakash wrote this tutorial and according to the author PPA stands for "Personal Package Archive". Additionally, the author in his section titled, "Why PPA? Why not DEB packages?" writes the following:

"If you install a software using a DEB package, there is no guarantee that the installed software will be updated to a newer version when you run sudo apt update && sudo apt upgrade."

I do not claim to be an Ubuntu expert, however after reading that I couldn't help wondering if installing Bitcoin Core and Armory using PPA related terminal commands instead of using the traditional DEB install method was the smarter way to go. I may be wrong but the way I understand is using the PPA install method makes it easier to update your Bitcoin Core and Armory apps in the future.

Colton advises I don't do any of that and just go through the gpg --verify SHA256SUM.asc command process and then install the apps. I'm still trying to figure out that verification process because as I said I am not an Ubuntu expert.

Nevertheless, I was just seeking clarification on this Ubuntu software installation matter because I'm not clear if using the PPA method is supported by Bitcoin Core and Armory.  Any posts that can clarify this for me will be greatly appreciated.  Thanks in advance.
newbie
Activity: 27
Merit: 3
- where do we find the correct spelling for the Wladimir van der Laan key? On the bitcoincore website, it references an ubuntu server "gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964" do we run this on Debian?

Yes, you can run this on debian.

Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

Thank!
newbie
Activity: 27
Merit: 3
Thanks for clarifying - PureOS DE is GNOME.

Check this site for how to create a shortcut on your desktop.
In the command field simply use the path to the binary followed by all parameters, for example:

Code:
/path/to/core --regtest

Thanks, I'll review this information.
legendary
Activity: 1624
Merit: 2481
Thanks for clarifying - PureOS DE is GNOME.

Check this site for how to create a shortcut on your desktop.
In the command field simply use the path to the binary followed by all parameters, for example:

Code:
/path/to/core --regtest
newbie
Activity: 27
Merit: 3
Thanks Carlton - to my understanding, PureOS is a fork of Debian Testing.

well, no!

Debian is the underlying OS. It doesn't need to have mouse pointers and windows, Debian (and all other Linux) is just a terminal, like the old MS-DOS, if you remember that, literally a black screen with a terminal prompt in the top left corner (scary!)

Debian lets you choose a different DE, they support about 4-5 different ones. Cinammon is a DE. xfce is my own personal fave DE, but it's down to personal choice.

Thanks for clarifying - PureOS DE is GNOME.
legendary
Activity: 3430
Merit: 3080
Thanks Carlton - to my understanding, PureOS is a fork of Debian Testing.

well, no!

Debian is the underlying OS. It doesn't need to have mouse pointers and windows, Debian (and all other Linux) is just a terminal, like the old MS-DOS, if you remember that, literally a black screen with a terminal prompt in the top left corner (scary!)

Debian lets you choose a different DE, they support about 4-5 different ones. Cinammon is a DE. xfce is my own personal fave DE, but it's down to personal choice.
newbie
Activity: 27
Merit: 3
Thanks bob123 - I'm not sure what this means.  By DE, do you mean which Debian? Specifically PureOS by Purism. Core 0.18.1.

A desktop environment is a window manager (as the name says, managing windows from programs you open) and a bundle of software (e.g. settings manager, network manager, text editor, etc..).

You can take a look here: https://itsfoss.com/best-linux-desktop-environments/ and check the pictures. Which seems to be the closest to your setup (specifically the task bar and start menu) ?

Generally there are multiple ways to create a clickable shortcut, the easiest probably should be to right-click on the desktop and choose something like create shortcut.
If you can provide us the name of your DE, we can give you a more detailed instruction.

Oh, ok - PureOS uses GNOME.

Side note - how do you make that nicely quoted box when replying to people on this forum?

You can click Quote at the top right corner of a post, to quote it:

https://i.imgur.com/9shggKV.png

Nice - thanks

Should I do the same thing in the future when upgrading Armory?

If new dependencies are required, then yes.
Otherwise you don't have to transfer anything to your offline machine (except for the armory upgrade of course).

Great.
legendary
Activity: 1624
Merit: 2481
Thanks bob123 - I'm not sure what this means.  By DE, do you mean which Debian? Specifically PureOS by Purism. Core 0.18.1.

A desktop environment is a window manager (as the name says, managing windows from programs you open) and a bundle of software (e.g. settings manager, network manager, text editor, etc..).

You can take a look here: https://itsfoss.com/best-linux-desktop-environments/ and check the pictures. Which seems to be the closest to your setup (specifically the task bar and start menu) ?

Generally there are multiple ways to create a clickable shortcut, the easiest probably should be to right-click on the desktop and choose something like create shortcut.
If you can provide us the name of your DE, we can give you a more detailed instruction.



Side note - how do you make that nicely quoted box when replying to people on this forum?

You can click Quote at the top right corner of a post, to quote it:





Should I do the same thing in the future when upgrading Armory?

If new dependencies are required, then yes.
Otherwise you don't have to transfer anything to your offline machine (except for the armory upgrade of course).
newbie
Activity: 27
Merit: 3
Thanks Carlton - to my understanding, PureOS is a fork of Debian Testing.

Also, I ran "sudo dkpg -i armory.deb" on my online and offline computer to install armory.  Downloaded all required dependencies with "sudo apt install dependencies" for all required dependencies on the online computer, and then transferred them to the offline machine for install the same way.  Should I do the same thing in the future when upgrading Armory?

Really appreciate this helpful discussion!
Pages:
Jump to: