|
Size: 3866
Comment: Initial Creation
|
Size: 2730
Comment: typos
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
| How to actually perform the checks can be found e.g. on the [[https://www.gnupg.org/download/integrity_check.html|GnuPG web page on integrity checks]]. | You can check packages by their SHA1 Checksum, by OpenPGP Signature (if you already have GnuPG installed) or by the Code Signing Certificate. The Checksums and Information you need to verify your downloaded package files, are available on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. <<TableOfContents()>> |
| Line 6: | Line 8: |
| |{{{67e13c4f90ff6a70ad57bd31af64a238c9315308}}} | {{{gpg4win-2.3.3.exe}}} | |{{{71a3ed36a8af2ef14c7ac4d2d25fa2fef9eaa13b}}} | {{{gpg4win-light-2.3.3.exe}}} | |{{{a105cc82d60a315a14a4f69ea783a83baa434e55}}} | {{{gpg4win-vanilla-2.3.3.exe}}} | |{{{46349916d17854e90bc9fe311b280af359350236}}} | {{{gpg4win-src-2.3.3.exe}}} | |{{{5fa6d34206f3b08f1fdee58b03db1dc06c627388}}} | {{{gpg4win-2.3.3.tar.bz2}}} | |
Once you downloaded the file from [[https://www.gpg4win.org/|Gpg4Win.org]], you can verify its SHA1 checksums. On machines that run Windows 8 or newer, you can receive the desired output, by opening a command line, navigate to your Download-Folder and put in the line: {{{certutil -hashfile FileToHash.exe sha1}}} On Systems that run older operating systems, than Windows 8: Install a certain [[https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569|Windows Patch]], which delivers the functionality. Once you entered the operation, the command line will return an alphanumeric string, which yuo can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. |
| Line 14: | Line 18: |
| For {{{gpg4win-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-2.3.3.exe.sig]]\\ For {{{gpg4win-light-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-light-2.3.3.exe.sig]]\\ For {{{gpg4win-vanilla-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-vanilla-2.3.3.exe.sig]]\\ For {{{gpg4win-src-2.3.3.exe}}}: [[https://files.gpg4win.org/gpg4win-src-2.3.3.exe.sig]]\\ For {{{gpg4win-2.3.3.tar.bz2}}}: [[https://files.gpg4win.org/gpg4win-2.3.3.tar.bz2.sig]]\\ |
If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. The Key, with which the files are signed, is also given on that page. You have to import the key and now you can validate the signature of the file with the command |
| Line 20: | Line 20: |
| The signatures have been created with the following OpenPGP certificate\\ [[https://ssl.intevation.de/|Intevation File Distribution Key (Key ID: EC70B1B8)]] The certificate be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer. |
{{{gpg --verify gpg4win*.exe.sig gpg4win*.exe}}} |
| Line 26: | Line 23: |
| If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get: | Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter |
| Line 28: | Line 25: |
| | {{{25629112}}} | bytes for {{{gpg4win-2.3.3.exe}}} | | {{{8461096}}} | bytes for {{{gpg4win-light-2.3.3.exe}}} | | {{{3321976}}} | bytes for {{{gpg4win-vanilla-2.3.3.exe}}} | | {{{301613824}}} | bytes for {{{gpg4win-src-2.3.3.exe}}} | | {{{5913239}}} | bytes for {{{gpg4win-2.3.3.tar.bz2}}} | |
{{{dir}}} The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. |
| Line 36: | Line 31: |
| All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate: | All Gg4win installer files since April 2016 that can be downloaded via [[https://www.gpg4win.org/|Gpg4Win.org]] are code signed. The signature informations used to code sing the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. To verify the integrity, you open a command line, navigate to the folder and enter |
| Line 38: | Line 33: |
| | S/N: | {{{1121A3D67EAB28AA86FD85728B57FA62630D}}} | | Issuer: | {{{CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE}}} | | Subject: | {{{1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE}}} | | sha1_fpr: | {{{DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3}}} | | md5_fpr: | {{{C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7}}} | | notBefore: | {{{2016-03-30 16:54:41}}} | | notAfter: | {{{2019-03-31 16:54:41}}} | |
{{{SignTool verify gpg4win*.exe}}} |
| Line 46: | Line 35: |
| ---- | == Troubleshooting == |
| Line 48: | Line 37: |
| Previously used code signing certificates were: | S/N: | {{{112117F638BDC993B761C6073D63C2F86EC4}}} | | Issuer: | {{{CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE}}} | | Subject: | {{{1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE}}} | | sha1_fpr: | {{{15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC}}} | | md5_fpr: | {{{35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E}}} | | notBefore: | {{{2013-06-20 14:48:08}}} | | notAfter: | {{{2016-09-10 09:27:26}}} | and | S/N: | {{{0100000000012A60AF8A8F}}} | | Issuer: | {{{CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE}}} | | Subject: | {{{1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,C=DE}}} | | sha1_fpr: | {{{B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92}}} | | md5_fpr: | {{{80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55}}} | | notBefore: | {{{2010-08-11 09:27:29}}} | | notAfter: | {{{2013-08-11 09:27:26}}} | |
If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here |
Check integrity of Gpg4win packages
You can check packages by their SHA1 Checksum, by OpenPGP Signature (if you already have GnuPG installed) or by the Code Signing Certificate. The Checksums and Information you need to verify your downloaded package files, are available on the Gpg4Win package integrity site.
Contents
SHA1 checksums
Once you downloaded the file from Gpg4Win.org, you can verify its SHA1 checksums. On machines that run Windows 8 or newer, you can receive the desired output, by opening a command line, navigate to your Download-Folder and put in the line:
certutil -hashfile FileToHash.exe sha1
On Systems that run older operating systems, than Windows 8: Install a certain Windows Patch, which delivers the functionality.
Once you entered the operation, the command line will return an alphanumeric string, which yuo can compare to the one on the Gpg4Win package integrity site.
OpenPGP signatures
If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the Gpg4Win package integrity site. The Key, with which the files are signed, is also given on that page. You have to import the key and now you can validate the signature of the file with the command
gpg --verify gpg4win*.exe.sig gpg4win*.exe
File lengths
Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter
dir
The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the Gpg4Win package integrity site.
Code Signing Certificate
All Gg4win installer files since April 2016 that can be downloaded via Gpg4Win.org are code signed. The signature informations used to code sing the packages can be found on the Gpg4Win package integrity site. To verify the integrity, you open a command line, navigate to the folder and enter
SignTool verify gpg4win*.exe
Troubleshooting
If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here