Check integrity of Gpg4win packages
How to actually perform the checks can be found e.g. on the GnuPG web page on integrity checks.
SHA1 checksums
| 67e13c4f90ff6a70ad57bd31af64a238c9315308 | gpg4win-2.3.3.exe |
| 71a3ed36a8af2ef14c7ac4d2d25fa2fef9eaa13b | gpg4win-light-2.3.3.exe |
| a105cc82d60a315a14a4f69ea783a83baa434e55 | gpg4win-vanilla-2.3.3.exe |
| 46349916d17854e90bc9fe311b280af359350236 | gpg4win-src-2.3.3.exe |
| 5fa6d34206f3b08f1fdee58b03db1dc06c627388 | gpg4win-2.3.3.tar.bz2 |
OpenPGP signatures
For gpg4win-2.3.3.exe: https://files.gpg4win.org/gpg4win-2.3.3.exe.sig
For gpg4win-light-2.3.3.exe: https://files.gpg4win.org/gpg4win-light-2.3.3.exe.sig
For gpg4win-vanilla-2.3.3.exe: https://files.gpg4win.org/gpg4win-vanilla-2.3.3.exe.sig
For gpg4win-src-2.3.3.exe: https://files.gpg4win.org/gpg4win-src-2.3.3.exe.sig
For gpg4win-2.3.3.tar.bz2: https://files.gpg4win.org/gpg4win-2.3.3.tar.bz2.sig
The signatures have been created with the following OpenPGP certificate
Intevation File Distribution Key (Key ID: EC70B1B8)
The certificate be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.
File lengths
If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:
| 25629112 | bytes for gpg4win-2.3.3.exe |
| 8461096 | bytes for gpg4win-light-2.3.3.exe |
| 3321976 | bytes for gpg4win-vanilla-2.3.3.exe |
| 301613824 | bytes for gpg4win-src-2.3.3.exe |
| 5913239 | bytes for gpg4win-2.3.3.tar.bz2 |
Code Signing Certificate
All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:
| S/N: | 1121A3D67EAB28AA86FD85728B57FA62630D |
| Issuer: | CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE |
| Subject: | 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE |
| sha1_fpr: | DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3 |
| md5_fpr: | C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7 |
| notBefore: | 2016-03-30 16:54:41 |
| notAfter: | 2019-03-31 16:54:41 |
Previously used code signing certificates were:
| S/N: | 112117F638BDC993B761C6073D63C2F86EC4 |
| Issuer: | CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE |
| Subject: | 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE |
| sha1_fpr: | 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC |
| md5_fpr: | 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E |
| notBefore: | 2013-06-20 14:48:08 |
| notAfter: | 2016-09-10 09:27:26 |
and
| S/N: | 0100000000012A60AF8A8F |
| Issuer: | CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE |
| Subject: | 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,C=DE |
| sha1_fpr: | B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92 |
| md5_fpr: | 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55 |
| notBefore: | 2010-08-11 09:27:29 |
| notAfter: | 2013-08-11 09:27:26 |