The message is here:
https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.91.1_sha256sum.txt.asc
But if I am using this to verify a file I downloaded off this site couldnt they just replace this page on the site too with their own key?
The hashes are signed with key ID 98832223. MIT keyserver has this key registered to one Alan C. Reiner (alan[at]bitcoinarmory[dot]com). There are several other signatures on the key.
If you can verify the keys of the people that signed this key and trust that they would not lie, or if you are sure that this is in fact the author’s key, you can use the hashes to verify the file.
If you need help on checking signatures, just let me know!
Regards,
Sean C.
Yes I need helping verifying the signature I linked too. Also, how do I know if the website was hacked the author wouldnt just change the message above the signature and leave the signature to match the certificate of the original author?
First, copy the entire text at the URL, including:
-----BEGIN PGP SIGNED MESSAGE-----
and
-----END PGP SIGNATURE-----
You probably want to save the text (e.g. in a .txt format) on your computer.
Now, in order to completely verify the signature, you will need the public key of the person who is supposed to have signed it. This is the tricky part. In order to be absolutely sure you have the right key, you need to meet with the person and have them verify that this is indeed their key. If you are unable to do this, you can look at the signatures on the key and if you are certain those keys are valid and you trust those people to only sign keys which they themselves have personally verified, then you can probably trust the key in question. Short of that, you must accept on faith that the signing key is valid and has not been spoofed. This is called the “web of trust” and is essential to GPG’s functionality. (NB: Anyone can make a key with any name and email address and upload it to the keyservers!) If you trust the key, import it onto your keyring.
Once you are sure you have imported the correct key, you can either use Kleopatra or the command prompt to verify the signature. If you are using Kleopatra, simply open the interface and click the “file” menu. Then click “Decrypt/Verify Files”. In the dialogue, select the .txt file you saved earlier. Make sure the “Input file is a detached signature” box is NOT checked for this file. Next, click the “Decrypt/Verify” button and the program will notify you of the results as well as create an output file containing just the text that was signed.
If you are using the command prompt, navigate to the directory containing the file and at the prompt type:
gpg --verify [filename]
The command prompt will display the result.
In regards to your question about how one would know if the information above the signature had been changed: that is the beauty of the signature. It is generated using the private key of the signer and the data being signed. So, if anyone were to alter the signed data in any way, the signature would be invalid and GPG would tell you so!
I hope that helps!
Regards,
Sean C.