English | Deutsch
Home »

Check integrity of Gpg4win packages

How to actually perform the checks can be found e.g. on the GnuPG web page on integrity checks.

SHA1 checksums

67e13c4f90ff6a70ad57bd31af64a238c9315308  gpg4win-2.3.3.exe
71a3ed36a8af2ef14c7ac4d2d25fa2fef9eaa13b  gpg4win-light-2.3.3.exe
a105cc82d60a315a14a4f69ea783a83baa434e55  gpg4win-vanilla-2.3.3.exe
46349916d17854e90bc9fe311b280af359350236  gpg4win-src-2.3.3.exe
5fa6d34206f3b08f1fdee58b03db1dc06c627388  gpg4win-2.3.3.tar.bz2

OpenPGP signatures

For gpg4win-2.3.3.exe: https://files.gpg4win.org/gpg4win-2.3.3.exe.sig
For gpg4win-light-2.3.3.exe: https://files.gpg4win.org/gpg4win-light-2.3.3.exe.sig
For gpg4win-vanilla-2.3.3.exe: https://files.gpg4win.org/gpg4win-vanilla-2.3.3.exe.sig
For gpg4win-src-2.3.3.exe: https://files.gpg4win.org/gpg4win-src-2.3.3.exe.sig
For gpg4win-2.3.3.tar.bz2: https://files.gpg4win.org/gpg4win-2.3.3.tar.bz2.sig

The signatures have been created with the following OpenPGP certificate
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)


Since 2017 new releases are additionally signed with a new certificate that matches more modern key standards:
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)

The certificate can also be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.

File lengths

If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:

25629112  bytes for gpg4win-2.3.3.exe
8461096   bytes for gpg4win-light-2.3.3.exe
3321976   bytes for gpg4win-vanilla-2.3.3.exe
301613824 bytes for gpg4win-src-2.3.3.exe
5913239   bytes for gpg4win-2.3.3.tar.bz2

Code Signing Certificate

All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:

      S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
  md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
 notAfter: 2019-03-31 16:54:41

Previously used code signing certificates were:

      S/N: 112117F638BDC993B761C6073D63C2F86EC4
   Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
  md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
 notAfter: 2016-09-10 09:27:26
      S/N: 0100000000012A60AF8A8F
   Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,C=DE
 sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
  md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
 notAfter: 2013-08-11 09:27:26