= Check integrity of Gpg4win packages You shall only run applications on your computer that you trust. This page shows several methods to check that the software called Gpg4win that you have just downloaded originates from the Gpg4win Initiative. Using one is good enough. <> == Code Signing Certificate All Gpg4win installer files since April 2016 are code signed. The signature informations used to code sign the packages can be found on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. Windows can check the integrity and the publisher of a signed software package. ==== Method A: UAC (recommended) When trying to run the installer on Windows, the **User Access Control dialog will show the publisher**, check that it is the one you expected it to be. :) (If you have disabled User Access Control use a different method.) ==== Method B: file properties A second way is to use the file properties in the explorer. Right click on the installer -> properties -> digital signatures -> Details of signatures. (Try this if no publisher is shown by the UAC in rare cases after a download with Firefox or Iridium (Chromium). For details see [[https://dev.gnupg.org/T3379|T3379]].) ==== Method C: signtool A third way is to use [[https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx|MSDN:SignTool]] which is a part of the Microsoft development tools: Open open a command line, navigate to the folder and enter {{{SignTool verify gpg4win*.exe}}} == Checksums Once you have downloaded the file, you can verify that it matches the published checksums (that you have gotten via a trusted channel). Open a command line, navigate to your Download-Folder and put in the line: {{{certutil -hashfile gpg4win-3.1.7.exe sha256}}} If this does not work, try {{{sha1}}} instead of {{{sha256}}}. (SHA-256 is to be preferred, but we are not aware of a standard Microsoft tool to check SHA-256 for elder versions of Windows. If you have a different tool available to check SHA-256 checksums, you can use it.) On systems that run older operating systems than Windows 8: Install a certain [[https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569|Windows Patch]], which delivers the functionality. Once you have entered the command, it will return an alphanumeric string, which you can compare to the one on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. Make sure to compare it to the checksum with the same algorithm (SHA-256 or SHA-1). == OpenPGP signatures == If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You'll find the download-links on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. The Key, with which the files are signed, is also given on that page. You have to import the key and now you can validate the signature of the file with the command {{{gpg --verify gpg4win*.exe.sig gpg4win*.exe}}} == File lengths (as diagnostics) This is not a verification method, but I way trying to find out why a method my have failed. One cause of a bad download is that the internet connection broke down during the download. In this case the size of the file on your harddisk is smaller than it should be. Navigate to the folder, where you downloaded the Gpg4Win packages to, and enter {{{dir}}} The command will list all files and their sizes in the directory. You can then compare those results with the sizes given on the [[https://www.gpg4win.org/package-integrity.html|Gpg4Win package integrity]] site. This can help you spot a corrupt file where the downloading got aborted or something. It will not protect you against an attacker. == Troubleshooting == If you encounter any problems, please feel free to ask them at the forums or on the mailinglist. If you already figured out, how to fix your issue, please leave your answer here