|
Size: 3441
Comment: Overhauls intro and code signing section. Adds hint about SHA-256
|
Size: 4508
Comment: improve section on checksums, improve mention of public keyin openpgp sig section
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 6: | Line 6: |
| Using one is good enough. | |
| Line 10: | Line 11: |
| All Gg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. Windows can check the integrity and the publisher of a signed software package. |
All Gpg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. Windows can check the integrity and the publisher of a signed software package. |
| Line 13: | Line 14: |
| ==== Method A: UAC | ==== Method A: UAC (recommended) |
| Line 15: | Line 16: |
| the **User Access Control dialog will show the publisher**, check that is the one you expected it to be. :) | the **User Access Control dialog will show the publisher**, check that it is the one you expected it to be. :) |
| Line 20: | Line 21: |
| -> digital signatures -> Details of signatures. **Use this with Firefox or Iridium (Chromium)** until [[https://dev.gnupg.org/T3379|T3379]] is solved. |
-> digital signatures -> Details of signatures. (Try this if no publisher is shown by the UAC in rare cases after a download with Firefox or Iridium (Chromium). For details see [[https://dev.gnupg.org/T3379|T3379]].) |
| Line 24: | Line 25: |
| A third way verify the integrity is, to open open a command line, navigate to the folder and enter | A third way is to use [[https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx|MSDN:SignTool]] which is a part of the Microsoft development tools: Open open a command line, navigate to the folder and enter |
| Line 29: | Line 33: |
| == SHA1 checksums | == Checksums |
| Line 31: | Line 35: |
| Once you downloaded the file from [[https://www.gpg4win.org/|Gpg4Win.org]], you can verify its SHA1 checksums. On machines that run Windows 8 or newer, you can receive the desired output, by opening a command line, navigate to your Download-Folder and put in the line: | Once you have downloaded the file, you can verify that it matches the published checksums (that you have gotten via a trusted channel). Open a command line, navigate to your Download-Folder and put in the line: |
| Line 33: | Line 37: |
| {{{certutil -hashfile FileToHash.exe sha1}}} | {{{certutil -hashfile gpg4win-3.1.13.exe sha256}}} |
| Line 35: | Line 39: |
| On Systems that run older operating systems, than Windows 8: Install a certain [[https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569|Windows Patch]], which delivers the functionality. | Once you have entered the command, it will return an alphanumeric string, which you can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. It has to match for all hexadecimal digits. (Sometimes colons or spaces are used to group the checksum.) Make sure to compare it to the checksum with the right algorithm (SHA-256). |
| Line 37: | Line 43: |
| Once you entered the operation, the command line will return an alphanumeric string, which yyou can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. | ==== If the tool does not work |
| Line 39: | Line 45: |
| (These instructions are written for SHA-1 and not the stronger SHA-256 because we are not aware of standard Microsoft tools to check SHA-256 for elder versions of Windows. If you have a tool to check SHA-256, use it instead.) |
... see of you have a different tool that can calculate SHA-256 checksums on your machine and use it instead. On systems that run older operating systems than Windows 8: Install a certain [[https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569|Windows Patch]], which delivers the functionality. Less reliable is falling back using {{{sha1}}} stead of the {{{sha256}}} in the above command line and comparing it to the SHA-1 checksum. Some elder versions of Windows may not come with a standard tool to calculate SHA-256 and we still publish SHA-1 checksums because checking against them is better than not checking with a cryptographic checksum. |
| Line 46: | Line 59: |
| If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. The Key, with which the files are signed, is also given on that page. You have to import the key and now you can validate the signature of the file with the command | If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. The ey, with which the files are signed, is also given on that page. You have to import the public key and now you can validate the signature of the file with the command |
| Line 50: | Line 64: |
| == File lengths == | == File lengths (as diagnostics) This is not a verification method, but I way trying to find out why a method my have failed. One cause of a bad download is that the internet connection broke down during the download. In this case the size of the file on your harddisk is smaller than it should be. |
| Line 57: | Line 75: |
| This can help you spot a corrupt file where the downloading got aborted or something. It will not protect you against an attacker. |
Check integrity of Gpg4win packages
You shall only run applications on your computer that you trust. This page shows several methods to check that the software called Gpg4win that you have just downloaded originates from the Gpg4win Initiative. Using one is good enough.
Contents
Code Signing Certificate
All Gpg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the Gpg4Win package integrity site. Windows can check the integrity and the publisher of a signed software package.
Method A: UAC (recommended)
When trying to run the installer on Windows, the User Access Control dialog will show the publisher, check that it is the one you expected it to be. :) (If you have disabled User Access Control use a different method.)
Method B: file properties
A second way is to use the file properties in the explorer. Right click on the installer -> properties -> digital signatures -> Details of signatures. (Try this if no publisher is shown by the UAC in rare cases after a download with Firefox or Iridium (Chromium). For details see T3379.)
Method C: signtool
A third way is to use MSDN:SignTool which is a part of the Microsoft development tools: Open open a command line, navigate to the folder and enter
SignTool verify gpg4win*.exe
Checksums
Once you have downloaded the file, you can verify that it matches the published checksums (that you have gotten via a trusted channel). Open a command line, navigate to your Download-Folder and put in the line:
certutil -hashfile gpg4win-3.1.13.exe sha256
Once you have entered the command, it will return an alphanumeric string, which you can compare to the one on the Gpg4Win package integrity site. It has to match for all hexadecimal digits. (Sometimes colons or spaces are used to group the checksum.) Make sure to compare it to the checksum with the right algorithm (SHA-256).
If the tool does not work
... see of you have a different tool that can calculate SHA-256 checksums on your machine and use it instead.
On systems that run older operating systems than Windows 8: Install a certain Windows Patch, which delivers the functionality.
Less reliable is falling back using sha1 stead of the sha256 in the above command line and comparing it to the SHA-1 checksum. Some elder versions of Windows may not come with a standard tool to calculate SHA-256 and we still publish SHA-1 checksums because checking against them is better than not checking with a cryptographic checksum.
OpenPGP signatures
If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the Gpg4Win package integrity site. The ey, with which the files are signed, is also given on that page. You have to import the public key and now you can validate the signature of the file with the command
gpg --verify gpg4win*.exe.sig gpg4win*.exe
File lengths (as diagnostics)
This is not a verification method, but I way trying to find out why a method my have failed. One cause of a bad download is that the internet connection broke down during the download. In this case the size of the file on your harddisk is smaller than it should be.
Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter
dir
The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the Gpg4Win package integrity site.
This can help you spot a corrupt file where the downloading got aborted or something. It will not protect you against an attacker.
Troubleshooting
If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here