New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In-App Update Fails to Verify. Manual D/Load 0,8,0 Also Fails to Verify – No Public Key #1679
Comments
Christoph's public key is available here: |
Hmmm... Not exactly confidence inspiring, given we're dealing with issues of trust & verification here. EDIT: that server doesn't seem to be running on [or configured properly on] HTTPS. There's no auto redirect from HTTP to HTTPS when accessing it via http://pool.sks-keyservers.net |
...and trying to import the key from the URL given in the docs says the signature is "Good" but then warns it's "not certified with a trusted signature!" Which may still mean it's OK –the fingerprints match– so maybe it's just like a self-signed cert warning on HTTPS? But it's certainly confusing for those of us [like me] who aren't that well up on the intricacies of PGP signatures, etc. Do I trust it or not?
Oh. And BTW, the docs don't mention having to import the key first, at all. They just give that one-liner for verifying it. |
@madranet The problem in your case is, that my key was added to the Bisq client after version 0.6.2. That's the reason why you experienced the problem. You could download the version direct here from GitHub and verify the build again before installing it. Afterwards updates that are released by myself should work as expected. |
You find the url of the signing key in the description of the release.
|
Yep. That's the one I used. See terminal output in my previous post. What I want to know now is, is it safe to ignore the:
warning that I got at the end? |
Do you get a different warning when you verified a build released and signed by @ManfredKarrer? I think Manfred signed my key publicly. So if you trust his key it also should put my key as trusted. |
@ManfredKarrer's key seems to validate OK –apart from the [expected?] warning that it has expired.
|
I'll check with Manfred as soon as he is available again if he could sign my key also with his older expired one. Thanks for the report @madranet - shouldn't be too hard to solve from our side. |
Well, I guess it's safe to trust the download this time. Given you're one of the maintainers of the repo. Thanks for your help. |
Could you try it with this one https://www.dropbox.com/s/v85qi6zxhq7feeu/29CDFD3B.asc |
I still get the same error with that one:
As I said previously, I'm not very au fait with gpg but the terminal output seems to suggest the new key is 'unchanged' from the previous one. Do I have to do something to discard the old one first, before importing the new one? |
What is printed if you enter |
That gives me:
|
Hmm... That prints Manfreds key that was also used for signing the other build. Actually I thought this should work. I think we have to wait for @ManfredKarrer to clarify this. Unfortunately I'm not a hardcore gpg user myself. |
At version 0.6.2. Chrisophs gpg key was not added to the binary so that is why the verification fails from the in-app downloader. Christophs key is here: https://github.com/bisq-network/bisq/releases/download/v0.8.0/29CDFD3B.asc The gpg warning are unfortunately confusing. See: https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key Yes the instruction misses the importing of the key. I will add that. As people should not install old versions I leave the expired key on Github. If I do a new release I will upload an updated key. |
The problem was not caused initially by trying to install an old version per se, but by an already installed older version of the desktop app [0,6,x - with a cert signed by @ManfredKarrer] trying to update itself to a newer version [0,8,0 - with a cert signed by @ripcurlx]. Bit of an edge case, I'll grant you. But it did lead into a morass of confusion. |
[OSX 10,11,6]
It's been quite a while since I opened the app, so I'm on some version prior to 0,6,2 which is the version the app says it's going to update to, when I launch it:
It then proceeds to D/load 0,8,0...
But the D/load fails to verify...
So I then D/load manually and follow the instructions given to verify using pgp:
But that fails with a "No Public Key" error
The text was updated successfully, but these errors were encountered: