|
Size: 2730
Comment: typos
|
Size: 3441
Comment: Overhauls intro and code signing section. Adds hint about SHA-256
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Check integrity of Gpg4win packages = You can check packages by their SHA1 Checksum, by OpenPGP Signature (if you already have GnuPG installed) or by the Code Signing Certificate. The Checksums and Information you need to verify your downloaded package files, are available on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. |
= Check integrity of Gpg4win packages You shall only run applications on your computer that you trust. This page shows several methods to check that the software called Gpg4win that you have just downloaded originates from the Gpg4win Initiative. |
| Line 6: | Line 9: |
| == SHA1 checksums == | == Code Signing Certificate All Gg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. Windows can check the integrity and the publisher of a signed software package. ==== Method A: UAC When trying to run the installer on Windows, the **User Access Control dialog will show the publisher**, check that is the one you expected it to be. :) (If you have disabled User Access Control use a different method.) ==== Method B: file properties A second way is to use the file properties in the explorer. Right click on the installer -> properties -> digital signatures -> Details of signatures. **Use this with Firefox or Iridium (Chromium)** until [[https://dev.gnupg.org/T3379|T3379]] is solved. ==== Method C: signtool A third way verify the integrity is, to open open a command line, navigate to the folder and enter {{{SignTool verify gpg4win*.exe}}} == SHA1 checksums |
| Line 14: | Line 37: |
| Once you entered the operation, the command line will return an alphanumeric string, which yuo can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. | Once you entered the operation, the command line will return an alphanumeric string, which yyou can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. (These instructions are written for SHA-1 and not the stronger SHA-256 because we are not aware of standard Microsoft tools to check SHA-256 for elder versions of Windows. If you have a tool to check SHA-256, use it instead.) |
| Line 29: | Line 57: |
| == Code Signing Certificate == All Gg4win installer files since April 2016 that can be downloaded via [[https://www.gpg4win.org/|Gpg4Win.org]] are code signed. The signature informations used to code sing the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. To verify the integrity, you open a command line, navigate to the folder and enter {{{SignTool verify gpg4win*.exe}}} |
Check integrity of Gpg4win packages
You shall only run applications on your computer that you trust. This page shows several methods to check that the software called Gpg4win that you have just downloaded originates from the Gpg4win Initiative.
Contents
Code Signing Certificate
All Gg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the Gpg4Win package integrity site. Windows can check the integrity and the publisher of a signed software package.
Method A: UAC
When trying to run the installer on Windows, the User Access Control dialog will show the publisher, check that is the one you expected it to be. :) (If you have disabled User Access Control use a different method.)
Method B: file properties
A second way is to use the file properties in the explorer. Right click on the installer -> properties -> digital signatures -> Details of signatures. Use this with Firefox or Iridium (Chromium) until T3379 is solved.
Method C: signtool
A third way verify the integrity is, to open open a command line, navigate to the folder and enter
SignTool verify gpg4win*.exe
SHA1 checksums
Once you downloaded the file from Gpg4Win.org, you can verify its SHA1 checksums. On machines that run Windows 8 or newer, you can receive the desired output, by opening a command line, navigate to your Download-Folder and put in the line:
certutil -hashfile FileToHash.exe sha1
On Systems that run older operating systems, than Windows 8: Install a certain Windows Patch, which delivers the functionality.
Once you entered the operation, the command line will return an alphanumeric string, which yyou can compare to the one on the Gpg4Win package integrity site.
(These instructions are written for SHA-1 and not the stronger SHA-256 because we are not aware of standard Microsoft tools to check SHA-256 for elder versions of Windows. If you have a tool to check SHA-256, use it instead.)
OpenPGP signatures
If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the Gpg4Win package integrity site. The Key, with which the files are signed, is also given on that page. You have to import the key and now you can validate the signature of the file with the command
gpg --verify gpg4win*.exe.sig gpg4win*.exe
File lengths
Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter
dir
The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the Gpg4Win package integrity site.
Troubleshooting
If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here