Author

Topic: PPA vs. DEB install. Which is better for Armory & Bitcoin Core? (Read 311 times)

legendary
Activity: 3430
Merit: 3080
Quote
But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

Then he went full Kubernets. Never go full Kubernets!

Grin

I still run "bare metal" debian on a raspi 3 (bare plastic? bare play-do!)

The rest of the time, I have 5 copies of Qubes nested inside each other, for a grand total of 35 net proxies!!!! Cheesy (you only need 10TB of RAM for this, I strongly encourage it Grin)
legendary
Activity: 3766
Merit: 1364
Armory Developer
Quote
But once I was in solely in charge of keeping my own money safe, my attitude quickly changed

Then he went full Kubernets. Never go full Kubernets!
legendary
Activity: 3430
Merit: 3080
Successfully imported and verified - wow, this is amazing.  Cool

you could write a little script that does this, it would be a good way to learn that stuff. Once you've updated the online machine's Bitcoin-qt 5+ times, the novelty of how cool gpg and sha256sum are will have worn off, you can return to simplicity with the comfort/satisfaction that you know alot about what's going on when your software is being checked for authenticity. And you also get to debug the script when one of your assumptions turns out to be bad, hurrah!!

none if this ever mattered to me back in the Windows days, I figured that either software worked or it didn't! But once I was in solely in charge of keeping my own money safe, my attitude quickly changed
newbie
Activity: 27
Merit: 3
Successfully imported and verified - wow, this is amazing.  Cool

Thanks so much bob123, Carlton Banks, and PhoenixFire - much appreciated!!
member
Activity: 270
Merit: 36
I'm stuck on how to simply download these .asc files.  If I go to https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys - how do I download these files so that I can import them?  Do I need to create .txt file with this information, and then "gpg --import goatpigs-key.asc.txt"?
Navigate to the github page that has each GPG key i.e. they start with:
Code:
 -----BEGIN PGP PUBLIC KEY BLOCK-----
Then click the "Raw" button on the right hand side. Once the page has loaded, Ctrl + S or File > Save as and save the file. Then import as above, but the filenames should be just "goatpig-signing-key.asc" and "laanwj-releases.asc" unless your browser does something strange or you rename them.
newbie
Activity: 27
Merit: 3
I'm stuck on how to simply download these .asc files.  If I go to https://github.com/goatpig/BitcoinArmory/tree/master/PublicKeys - how do I download these files so that I can import them?  Do I need to create .txt file with this information, and then "gpg --import goatpigs-key.asc.txt"?
legendary
Activity: 3430
Merit: 3080
Wladimir J van der Laan's signing key:

[snip]

The best would be to confirm this information by looking at other independent sources.
If you trust bitcointalk.org (and its moderators!), you are fine to use it. The best would be still to verify it using other sources.

I think it would be a good idea to start making t-shirts with all sorts of useful GPG keys printed on them... although that comes with it's own problems if any keys on the t-shirt are compromised!!!


but something along those lines could be useful, it's a little more concerning that someone's key that we all rely doesn't get stolen, but gets spoofed somehow instead, and that gets used to perform some kind of theft or attack


gpg is bit confusing

everything about gpg is not going to "click" inside your head the first few times you use it. But once you've used it a hundred times, it makes increasingly more sense.

then, you've got an incredibly powerful tool in your hands, just like you have with Bitcoin Wink
legendary
Activity: 1624
Merit: 2481
You can find keys from multiple persons here: https://bitcointalk.org/verify_pubkeys.txt

This page contains keys from Maxwell, theymos, achow101 and more..

It also contains Wladimir J van der Laan's signing key:

Code:
# Wladimir's signing key 0x01EA5486DE18A882D4C2684590C8019E36C2E964
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFWKlBcBEACgZJd/6LrSgNSVxiyq5N9h0E7zgSHG/ahuWAnWeFtxaxHeukH+
Q2Zq6F8FLbq40PphyroRylMBpzPBcyxjee7mDj1DpJ9ayv6GGPTyQzOImhChEV8p
bA42dvXnB5ju0rPh2GxctbiZZD1kiPH4jlmDIgomvupAj9OFntA5jfkuSFBekZrw
QyZowz/paMBIe24YH2LyaZjC2DqLy8Znh78OfAZxZsWSdZxK5LsbkCE9l8Li3gQa
rxm4aEMBHhvns+s8Ufa47sdJAYAfVnAWb5Dfe4oVFh70PvB8GSGFS9qeib0eEQBD
71c9MN+REDTSOYO2VnUSFbu7IrKsPsClqwfT9KzI/uz5fpHSKdCp5AO7oDZiU36s
LsSOBbukTmFQfVrAniFEZxHLCBufXCsAwp07xtUH9ytbW0Y/eHYlZojoWJJPT//1
cQ/A2Ix/nxbSkSPq8wpCUhBxvTQoU9BXeQIbSy0yUmj5nS+3DR7IK2Q7ACyVClr7
LVQOGxgZhHr9Kq87RDqc1wlvbCxb+KTJQhJySpOVoiaME6jLBzgE7G+5N6IXTK5u
OriOsQwcLdeBu7TPgft79uBYnmYeaNVdovlBB//7H7UvY0kAxAg4NPgK6eYRdzn+
8ZtbntNXi/23RJvzeZJVBqQ7bYt4fjmHmRYrbM4jWKJEoJOE6wzpmELUowARAQAB
tFVXbGFkaW1pciBKLiB2YW4gZGVyIExhYW4gKEJpdGNvaW4gQ29yZSBiaW5hcnkg
cmVsZWFzZSBzaWduaW5nIGtleSkgPGxhYW53akBnbWFpbC5jb20+iQI+BBMBAgAo
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCWKLo+AUJBtq73QAKCRCQyAGe
NsLpZI/uD/sGG/o6nSNFvgnvC9o9k4SK/JHXyupo1VFpVUMCHNb3i6x0a+Dymrua
VsMVCzy85lAaoALQIq3X/3Tjqr8HbE5wzQQ/4XFAZZOwy6ncibgaVX4h3eMdMXm+
kSU1CLP72QRJEPxU89RPMbkxH+VArP/RyP35hec/qX51Ywm8dX5BjB/6Wj03X2sw
wEw9QvGLPmGzXaJrzL8LlHx04Fk1wZ0NorKlffxNSB/NP8NTKEFp0h9e1xvR8Q5q
OxM2ZARLwPK+xxk4povyKRWqxuesh5p1LSDvh+S9Cie3+GD57ZA1dQSjyCaPQZUi
0yZlctyekgK3qEdQKGMva1/AD1trhQbp4mdnNsOjgo+YzJLxPif41nSqelkzDRwH
JYYtIYnDAbO27d97ios+E3H/NXmn5GeCcx2RuBA4V0RTvJHpRlXFJdvV5HShXvTE
UduOr8fCwc7Bi58dWy/YHAjjPsEpSJQEeKo0hgaRrj3pfvLJG9w4AvI/AqeOdxYW
1xhCi+MoIrfMHIYZ3NY65Kz6r2rLLtuR9oy5qOGawDcb3sfAmf3xh6N5RSakDRhF
/9aJtxH6OiyicLUBTt50wgNWYx/3jMjLpPt7EWQgT23qQvNI3s8W702JWPHrPOi7
t8cqGZIhcokW3DPhs4RRW6FLnbp48PhtVRtPAwNwzKKLoEvaQu8fZA==
=2Kph
-----END PGP PUBLIC KEY BLOCK-----


The best would be to confirm this information by looking at other independent sources.
If you trust bitcointalk.org (and its moderators!), you are fine to use it. The best would be still to verify it using other sources.
newbie
Activity: 27
Merit: 3
Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

The first way (gpg --import key.asc) imports an already downloaded key (which is on your hard drive now) into the pgp database.
The second command (gpg --recv-keys XXXXX) pulls the key with  the ID XXXXX from the keyserver you have specified with --keyserver or from the default one of your distro.

It doesn't really matter which way you choose, both have its pros and cons.
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.

oh, ok - thank you for clarifying.  Just to confirm, I found 2 signing keys in goatpig's PublicKey section on github (goatpig-signing-key.asc and laanwj-releases.asc).  I know goatpigs is what I need for armory, but is that the correct key for Wladimir van der Laan for bitcoin core?  (I couldn't find it on laanwj's github).

Thanks so much, gpg is bit confusing - really appreciate this support.
legendary
Activity: 3430
Merit: 3080
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.


this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this this
legendary
Activity: 1624
Merit: 2481
Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

The first way (gpg --import key.asc) imports an already downloaded key (which is on your hard drive now) into the pgp database.
The second command (gpg --recv-keys XXXXX) pulls the key with  the ID XXXXX from the keyserver you have specified with --keyserver or from the default one of your distro.

It doesn't really matter which way you choose, both have its pros and cons.
You just need to make sure that the source of your information is correct. This means if you download an .asc file, make sure you download it from the correct site.
And if you import it from a keyserver, makesure the ID you are using is coming from the correct source/website.



~snip~
"If you install a software using a DEB package, there is no guarantee that the installed software will be updated to a newer version when you run sudo apt update && sudo apt upgrade."
~snip~

I personally don't like PPA's either.

You could theoretically use them and wouldn't have much downsides.
But i would stick with the manual method.
Once you installed it, all you need to upgrade is to download the new .deb-file and run sudo apt-get install ./newDebFile.deb.

The statement is comparing PPA's to the distros repository (installing packages via apt-get install xxx from the official distro repository).
That's not what you are doing currently, you are downloading the .deb files yourself.
member
Activity: 65
Merit: 30
Thank you to all for all of the postings. The link below is the reason why I created this new topic:

https://itsfoss.com/ppa-guide/

Abhishek Prakash wrote this tutorial and according to the author PPA stands for "Personal Package Archive". Additionally, the author in his section titled, "Why PPA? Why not DEB packages?" writes the following:

"If you install a software using a DEB package, there is no guarantee that the installed software will be updated to a newer version when you run sudo apt update && sudo apt upgrade."

I do not claim to be an Ubuntu expert, however after reading that I couldn't help wondering if installing Bitcoin Core and Armory using PPA related terminal commands instead of using the traditional DEB install method was the smarter way to go. I may be wrong but the way I understand is using the PPA install method makes it easier to update your Bitcoin Core and Armory apps in the future.

Colton advises I don't do any of that and just go through the gpg --verify SHA256SUM.asc command process and then install the apps. I'm still trying to figure out that verification process because as I said I am not an Ubuntu expert.

Nevertheless, I was just seeking clarification on this Ubuntu software installation matter because I'm not clear if using the PPA method is supported by Bitcoin Core and Armory.  Any posts that can clarify this for me will be greatly appreciated.  Thanks in advance.
newbie
Activity: 27
Merit: 3
- where do we find the correct spelling for the Wladimir van der Laan key? On the bitcoincore website, it references an ubuntu server "gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964" do we run this on Debian?

Yes, you can run this on debian.

Question: How do this gpg import process work? (gpg --import key.asc vs the above referenced ubuntu server way?) Where does this information get downloaded from in bother manners? My biggest focus is security - would it be best to do "gpg --import WladimirvanderLaankey.acs? (if so, where do i find the correct spelling?)

Thank!
newbie
Activity: 27
Merit: 3
Thanks for clarifying - PureOS DE is GNOME.

Check this site for how to create a shortcut on your desktop.
In the command field simply use the path to the binary followed by all parameters, for example:

Code:
/path/to/core --regtest

Thanks, I'll review this information.
legendary
Activity: 1624
Merit: 2481
Thanks for clarifying - PureOS DE is GNOME.

Check this site for how to create a shortcut on your desktop.
In the command field simply use the path to the binary followed by all parameters, for example:

Code:
/path/to/core --regtest
newbie
Activity: 27
Merit: 3
Thanks Carlton - to my understanding, PureOS is a fork of Debian Testing.

well, no!

Debian is the underlying OS. It doesn't need to have mouse pointers and windows, Debian (and all other Linux) is just a terminal, like the old MS-DOS, if you remember that, literally a black screen with a terminal prompt in the top left corner (scary!)

Debian lets you choose a different DE, they support about 4-5 different ones. Cinammon is a DE. xfce is my own personal fave DE, but it's down to personal choice.

Thanks for clarifying - PureOS DE is GNOME.
legendary
Activity: 3430
Merit: 3080
Thanks Carlton - to my understanding, PureOS is a fork of Debian Testing.

well, no!

Debian is the underlying OS. It doesn't need to have mouse pointers and windows, Debian (and all other Linux) is just a terminal, like the old MS-DOS, if you remember that, literally a black screen with a terminal prompt in the top left corner (scary!)

Debian lets you choose a different DE, they support about 4-5 different ones. Cinammon is a DE. xfce is my own personal fave DE, but it's down to personal choice.
newbie
Activity: 27
Merit: 3
Thanks bob123 - I'm not sure what this means.  By DE, do you mean which Debian? Specifically PureOS by Purism. Core 0.18.1.

A desktop environment is a window manager (as the name says, managing windows from programs you open) and a bundle of software (e.g. settings manager, network manager, text editor, etc..).

You can take a look here: https://itsfoss.com/best-linux-desktop-environments/ and check the pictures. Which seems to be the closest to your setup (specifically the task bar and start menu) ?

Generally there are multiple ways to create a clickable shortcut, the easiest probably should be to right-click on the desktop and choose something like create shortcut.
If you can provide us the name of your DE, we can give you a more detailed instruction.

Oh, ok - PureOS uses GNOME.

Side note - how do you make that nicely quoted box when replying to people on this forum?

You can click Quote at the top right corner of a post, to quote it:

https://i.imgur.com/9shggKV.png

Nice - thanks

Should I do the same thing in the future when upgrading Armory?

If new dependencies are required, then yes.
Otherwise you don't have to transfer anything to your offline machine (except for the armory upgrade of course).

Great.
legendary
Activity: 1624
Merit: 2481
Thanks bob123 - I'm not sure what this means.  By DE, do you mean which Debian? Specifically PureOS by Purism. Core 0.18.1.

A desktop environment is a window manager (as the name says, managing windows from programs you open) and a bundle of software (e.g. settings manager, network manager, text editor, etc..).

You can take a look here: https://itsfoss.com/best-linux-desktop-environments/ and check the pictures. Which seems to be the closest to your setup (specifically the task bar and start menu) ?

Generally there are multiple ways to create a clickable shortcut, the easiest probably should be to right-click on the desktop and choose something like create shortcut.
If you can provide us the name of your DE, we can give you a more detailed instruction.



Side note - how do you make that nicely quoted box when replying to people on this forum?

You can click Quote at the top right corner of a post, to quote it:





Should I do the same thing in the future when upgrading Armory?

If new dependencies are required, then yes.
Otherwise you don't have to transfer anything to your offline machine (except for the armory upgrade of course).
newbie
Activity: 27
Merit: 3
Thanks Carlton - to my understanding, PureOS is a fork of Debian Testing.

Also, I ran "sudo dkpg -i armory.deb" on my online and offline computer to install armory.  Downloaded all required dependencies with "sudo apt install dependencies" for all required dependencies on the online computer, and then transferred them to the offline machine for install the same way.  Should I do the same thing in the future when upgrading Armory?

Really appreciate this helpful discussion!
legendary
Activity: 3430
Merit: 3080
By DE, do you mean which Debian? Specifically PureOS by Purism.

he means "Desktop Environment"

it's basically a bunch of programs that provides you with the desktop graphics, and responds to you moving the mouse and clicking things (multiple different DE's are available for Linux, MacOS and Windows have only 1 possible DE)

for PureOS, I think it's Cinammon, isn't it? Don't know tbh
newbie
Activity: 27
Merit: 3
"You can create a shortcut running any command with any parameter you wish.
What DE are you using ?"

Thanks bob123 - I'm not sure what this means.  By DE, do you mean which Debian? Specifically PureOS by Purism. Core 0.18.1.

Side note - how do you make that nicely quoted box when replying to people on this forum?
legendary
Activity: 3430
Merit: 3080
you can do (when inside of the directory):
Code:
apt-get install ./armory.deb

It usually is recommended to stick with apt-get, because it doesn't just install a package, but also looks for dependencies since it is a package management software.

didn't know this, good job bob123
legendary
Activity: 1624
Merit: 2481
- on goatpig's github, I see goatpig-signing-key.asc under the PublicKeys section - is this correct?

Yes.



- where do we find the correct spelling for the Wladimir van der Laan key? On the bitcoincore website, it references an ubuntu server "gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964" do we run this on Debian?

Yes, you can run this on debian.



good to know - I have been running ./bitcoin-qt to run core. It would be nice to have an applications link.

You can create a shortcut running any command with any parameter you wish.
What DE are you using ?
newbie
Activity: 27
Merit: 3
Interesting discussion. I have a follow-up question with regard to importing the gpg keys:

- on goatpig's github, I see goatpig-signing-key.asc under the PublicKeys section - is this correct?

- where do we find the correct spelling for the Wladimir van der Laan key? On the bitcoincore website, it references an ubuntu server "gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964" do we run this on Debian?


"***optional*** get the bitcoin.desktop file from https://github.com/bitcoin/contrib"
good to know - I have been running ./bitcoin-qt to run core. It would be nice to have an applications link.
legendary
Activity: 1624
Merit: 2481
Carlton Banks pretty much explained everything, however if you are going to use your fresh Ubuntu install for more than just your online armory, i would install the package via apt-get instead of dpkg.

So, instead of:

8. if the hashes (long string of letters and numbers) match, dpkg -i armory.deb

you can do (when inside of the directory):
Code:
apt-get install ./armory.deb

It usually is recommended to stick with apt-get, because it doesn't just install a package, but also looks for dependencies since it is a package management software.
This makes it easier for you to remove or change packages later compared to simply just installing it using dpkg.

apt-get uses dpkg to install the package in back end, but has additional features (scanning for dependencies, notifying when they can be removed, etc.).
legendary
Activity: 3430
Merit: 3080
what you're basically doing above is

  • checking that the list of "matching codes" you download is signed by the Bitcoin/Armory developers (the gpg --verify SHA256SUM.asc command)
  • checking the Bitcoin/Armory program you download matches the one from the developers (the sha256sum command)

once you've got Goatpig and Wladimir's keys in your online PC, you can skip that step in future

doing it this way is all about being very sure someone hasn't hacked the website you're getting Bitcoin/Armory from. As long as you've got the right key for Goatpig and Wladimir (and as long as those 2 keep their keys safe), then you can't accidentally download a fake version that steals all your money
legendary
Activity: 3430
Merit: 3080
for bitcoin, it's kind of the same, just there is no .deb and a different website


  • go to https://bitcoincore.org/bin
  • download version of your choice (newest is generally best) and the corresponding SHA256SUM.asc file
  • Download the Wladimir van der Laan key (it's at https://bitcoincore.org, go to "Downloads" section)
  • gpg --import wladimirs-key.asc (again, it's called something different to that in reality)
  • gpg --verify SHA256SUM.asc
  • sha256sum bitcoin-whatever-version.tar.gz
  • compare the output of sha256sum bitcoin-whatever-version.tar.gz with the line that says "bitcoin-whatever-version.tar.gz" in the SHA256SUM file (open SHA256SUM in text editor to do this)
  • if the hashes (long string of letters and numbers) match, tar -xf bitcoin-whatever-version.tar.gz
  • sudo cp ./bitcoin-whatever-version/bin/bitcoin* /usr/bin
  • ***optional*** get the bitcoin.desktop file from https://github.com/bitcoin/contrib and sudo mv bitcoin.desktop /usr/share/applications, this will give you a desktop icon to click in your desktop menu
legendary
Activity: 3430
Merit: 3080
don't do any of that IMO


1. Go to github.com/goatpig
2. find Amory
3. find downloads, download latest .deb and SHA256SUM file
4. find Goatpig's key, download and do: gpg --import goatpigs-key.asc (it's not called goatpigs-key, but something similar)
5. gpg --verify SHA256SUM  (it might be called SHA256SUM.asc, can't remember offhand)
6. sha256sum armory.deb
7. compare the output of sha256sum armory.deb with the line that says "armory.deb" in the SHA256SUM file (open SHA256SUM in text editor to do this)
8. if the hashes (long string of letters and numbers) match, dpkg -i armory.deb

I think the armory.deb you need will be the one with "GCC7" in the name
member
Activity: 65
Merit: 30
Fellow Forum Members,
I have a clean install of Ubuntu 18 on a brand new 2TB hard drive I bought for my new ARMORY ONLINE PC setup. The time has come to install the latest version for both Bitcoin Core and Armory. I hope someone would be so kind to clarify for me if it is best to install both Armory and Bitcoin Core using the PPA install process or is it better to use the traditional DEB install process?  Mainly, I would like to know if using the PPA install process will make my life easier as it relates to installing Armory and Bitcoin Core updates in the future?  In short, are Armory and Bitcoin Core designed to take advantage of the PPA install process?  Does PPA have any negatives?  

From what I gather the PPA install process requires I use the terminal commands shown below:
Code:
sudo add-apt-repository ppa:armory
Code:
sudo apt-get update
Code:
sudo apt-get install armory-installer

Do I need to make any changes to the code shown above?

Thanks in advance and I look forward to reading any opinions if the PPA installation process is the best installation process to use or if the traditional DEB install process is the best way to go.  
Jump to: