Differences between revisions 1 and 12 (spanning 11 versions)

Check integrity of Gpg4win packages

You shall only run applications on your computer that you trust. This page shows several methods to check that the software called Gpg4win that you have just downloaded originates from the Gpg4win Initiative. Using one method is good enough.

Contents

Check integrity of Gpg4win packages

Code Signing Certificate

All Gpg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the Gpg4Win package integrity site. Windows can check the integrity and the publisher of a signed software package.

Method A: UAC (recommended)

When trying to run the installer on Windows, the User Access Control dialog will show the publisher, check that it is the one you expected it to be. :) (If you have disabled User Access Control use a different method.)

Method B: file properties

A second way is to use the file properties in the explorer. Right click on the installer -> properties -> digital signatures -> Details of signatures. (Try this if no publisher is shown by the UAC in rare cases after a download with Firefox or Iridium (Chromium). For details see T3379.)

Method C: signtool

A third way is to use MSDN:SignTool which is a part of the Microsoft development tools: Open open a command line, navigate to the folder and enter

SignTool verify /pa /v gpg4win*.exe

Checksums

Once you have downloaded the file, you can verify that it matches the published checksums (that you have gotten via a trusted channel). Open a command line, navigate to your Download-Folder, and use a command like the following, but adapt the filename to the version you have downloaded and you want to check:

certutil -hashfile gpg4win-3.1.15.exe sha256

Once you have entered the command, it will return an alphanumeric string, which you can compare to the one on the Gpg4Win package integrity site. It has to match for all hexadecimal digits. (Sometimes colons or spaces are used to group the checksum.) Make sure to compare it to the checksum with the right algorithm (SHA-256).

If the tool does not work

... see of you have a different tool that can calculate SHA-256 checksums on your machine and use it instead.

On systems that run older operating systems than Windows 8: Install a certain Windows Patch, which delivers the functionality.

Less reliable is falling back using sha1 stead of the sha256 in the above command line and comparing it to the SHA-1 checksum. Some elder versions of Windows may not come with a standard tool to calculate SHA-256 and we still publish SHA-1 checksums because checking against them is better than not checking with a cryptographic checksum.

OpenPGP signatures

If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the Gpg4Win package integrity site. The ey, with which the files are signed, is also given on that page. You have to import the public key and now you can validate the signature of the file with the command

gpg --verify gpg4win*.exe.sig gpg4win*.exe

File lengths (as diagnostics)

This is not a verification method, but I way trying to find out why a method my have failed. One cause of a bad download is that the internet connection broke down during the download. In this case the size of the file on your harddisk is smaller than it should be.

Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter

dir

The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the Gpg4Win package integrity site.

This can help you spot a corrupt file where the downloading got aborted or something. It will not protect you against an attacker.

Troubleshooting

If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here

-  ⇤ ← Revision 1 as of 2017-01-20 10:21:25 → 
  Size: 3866
  Editor: JochenSaalfeld
  Comment: Initial Creation
+   ← Revision 12 as of 2021-08-05 07:56:04 → ⇥
  Size: 4625
  Editor: bernhard
  Comment: Improve method C (thanks to Sven G. for the hint)
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-= Check integrity of Gpg4win packages =
How to actually perform the checks can be found e.g. on the [[https://www.gnupg.org/download/integrity_check.html|GnuPG web page on integrity checks]].
+= Check integrity of Gpg4win packages
-Line 4:
+Line 3:
-== SHA1 checksums ==
+You shall only run applications on your computer that you trust.
This page shows several methods to check that the software called Gpg4win
that you have just downloaded originates from the Gpg4win Initiative.
**Using one method is good enough.**
-Line 6:
+Line 8:
-|{{{67e13c4f90ff6a70ad57bd31af64a238c9315308}}} | {{{gpg4win-2.3.3.exe}}} |
|{{{71a3ed36a8af2ef14c7ac4d2d25fa2fef9eaa13b}}} | {{{gpg4win-light-2.3.3.exe}}} |
|{{{a105cc82d60a315a14a4f69ea783a83baa434e55}}} | {{{gpg4win-vanilla-2.3.3.exe}}} |
|{{{46349916d17854e90bc9fe311b280af359350236}}} | {{{gpg4win-src-2.3.3.exe}}} |
|{{{5fa6d34206f3b08f1fdee58b03db1dc06c627388}}} | {{{gpg4win-2.3.3.tar.bz2}}} |
+<<TableOfContents()>>

== Code Signing Certificate
All Gpg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. 
Windows can check the integrity and the publisher of a signed software package. 

==== Method A: UAC (recommended)
When trying to run the installer on Windows,
the **User Access Control dialog will show the publisher**, check that it is the one you expected it to be. :) 
(If you have disabled User Access Control use a different method.)

==== Method B: file properties
A second way is to use the file properties in the explorer. Right click on the installer -> properties
 -> digital signatures -> Details of signatures. (Try this if no publisher is shown by the UAC in rare cases after a download with Firefox or Iridium (Chromium). For details see
[[https://dev.gnupg.org/T3379|T3379]].)

==== Method C: signtool
A third way is to use 
[[https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx|MSDN:SignTool]]
which is a part of the Microsoft development tools:
 Open open a command line, navigate to the folder and enter

{{{SignTool verify /pa /v gpg4win*.exe}}}


== Checksums

Once you have downloaded the file, you can verify that it matches the published checksums (that you have gotten via a trusted channel). Open a command line, navigate to your Download-Folder, and use a command like the following, but adapt the filename to the version you have downloaded and you want to check:

{{{certutil -hashfile gpg4win-3.1.15.exe sha256}}}

Once you have entered the command, it will return an alphanumeric string, which you can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site.
It has to match for all hexadecimal digits. (Sometimes colons or spaces are used to group the checksum.)
Make sure to compare it to the checksum with the right algorithm (SHA-256).

==== If the tool does not work

... see of you have a different tool that can calculate SHA-256 checksums
on your machine and use it instead. 

On systems that run older operating systems than Windows 8: Install a certain [[https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569|Windows Patch]], which delivers the functionality.

Less reliable is falling back using {{{sha1}}} stead of the {{{sha256}}} in the above command line
and comparing it to the SHA-1 checksum. 
Some elder versions of Windows may not come with a standard tool to calculate SHA-256
and we still publish SHA-1 checksums because checking against them is better than not checking with
a cryptographic checksum.
-Line 14:
+Line 59:
-For {{{gpg4win-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-2.3.3.exe.sig]]\\
For {{{gpg4win-light-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-light-2.3.3.exe.sig]]\\
For {{{gpg4win-vanilla-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-vanilla-2.3.3.exe.sig]]\\
For {{{gpg4win-src-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-src-2.3.3.exe.sig]]\\
For {{{gpg4win-2.3.3.tar.bz2}}}: [[https://files.gpg4win.org/gpg4win-2.3.3.tar.bz2.sig]]\\
+If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. The ey, with which the files are signed, is also given on that page. 
You have to import the public key and now you can validate the signature of the file with the command
-Line 20:
+Line 62:
-The signatures have been created with the following OpenPGP certificate\\
[[https://ssl.intevation.de/|Intevation File Distribution Key (Key ID: EC70B1B8)]]
+{{{gpg --verify gpg4win*.exe.sig gpg4win*.exe}}}
-Line 23:
+Line 64:
-The certificate be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.
+== File lengths (as diagnostics)
This is not a verification method, but I way trying to find out why a method my have failed.
One cause of a bad download is that the internet connection broke down during the download.
In this case the size of the file on your harddisk is smaller than it should be.
-Line 25:
+Line 69:
-== File lengths ==
If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:
+Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter
-Line 28:
+Line 71:
-| {{{25629112}}}  | bytes for {{{gpg4win-2.3.3.exe}}} |
| {{{8461096}}}   | bytes for {{{gpg4win-light-2.3.3.exe}}} |
| {{{3321976}}}   | bytes for {{{gpg4win-vanilla-2.3.3.exe}}} |
| {{{301613824}}} | bytes for {{{gpg4win-src-2.3.3.exe}}} |
| {{{5913239}}}   | bytes for {{{gpg4win-2.3.3.tar.bz2}}} |
+{{{dir}}}
-Line 34:
+Line 73:
-== Code Signing Certificate ==
+The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site.
-Line 36:
+Line 75:
-All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:
+This can help you spot a corrupt file where the downloading got aborted or something. It will
not protect you against an attacker.
-Line 38:
+Line 78:
-| S/N:       | {{{1121A3D67EAB28AA86FD85728B57FA62630D}}} |
| Issuer:    | {{{CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE}}} |
| Subject:   | {{{1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE}}} |
| sha1_fpr:  | {{{DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3}}} |
| md5_fpr:   | {{{C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7}}} |
| notBefore: | {{{2016-03-30 16:54:41}}} |
| notAfter:  | {{{2019-03-31 16:54:41}}} |
-Line 46:
+Line 79:
-----
+== Troubleshooting ==
-Line 48:
+Line 81:
-Previously used code signing certificates were:

| S/N:       | {{{112117F638BDC993B761C6073D63C2F86EC4}}} |
| Issuer:    | {{{CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE}}} |
| Subject:   | {{{1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE}}} |
| sha1_fpr:  | {{{15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC}}} |
| md5_fpr:   | {{{35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E}}} |
| notBefore: | {{{2013-06-20 14:48:08}}} |
| notAfter:  | {{{2016-09-10 09:27:26}}} |

and

| S/N:       | {{{0100000000012A60AF8A8F}}} |
| Issuer:    | {{{CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE}}} |
| Subject:   | {{{1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,C=DE}}} |
| sha1_fpr:  | {{{B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92}}} |
| md5_fpr:   | {{{80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55}}} |
| notBefore: | {{{2010-08-11 09:27:29}}} |
| notAfter:  | {{{2013-08-11 09:27:26}}} |
+If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here