English |
Check integrity of Gpg4win packages
Usually you can use Microsoft's own methods to check that the installer is signed by one of the current code signing certificates listed below.
Microsoft will normally display the code signature in an user account control dialog when you try to execute the downloaded file; alternatively you can take a look in the file properties with the explorer.
Additional methods how to check the integrity can be found on the Wiki page on integrity checks.
Code Signing Certificate
All Gpg4win exe installer files since June 2019 are signed with the following code signing certificate:
S/N: 53F647D0F1DBA9E312A05669
Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: C1:3A:65:96:3A:D5:3E:78:69:4D:D2:23:D5:18:00:77:91:A0:5F:E4
md5_fpr: 4C:AD:36:5A:30:06:B0:A3:6D:BB:1E:30:1E:44:4E:17
notBefore: 2019-03-13 12:15:07
notAfter: 2022-04-30 16:54:41
Previously used code signing certificates were:
S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
notAfter: 2019-03-31 16:54:41
S/N: 112117F638BDC993B761C6073D63C2F86EC4
Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
notAfter: 2016-09-10 09:27:26
S/N: 0100000000012A60AF8A8F
Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,C=DE
sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
notAfter: 2013-08-11 09:27:26
SHA256 checksums
e2f2e967a1161dc7836c24195840aa57e9320d4c4138a01af96714f5a4577019 gpg4win-3.1.14.exe 61169575cd6538be3376f2d57a31ed72c3bab4011f8eb2860fe5cea75a5e21f3 gpg4win-3.1.14.tar.bz2
SHA1 checksums
1c3be679964d13cae242b13af373fba409d79ee6 gpg4win-3.1.14.exe 6e6368fb667471f9260366c27e31bf065ef0c6f8 gpg4win-3.1.14.tar.bz2
OpenPGP signatures
For gpg4win-3.1.14.exe:
https://files.gpg4win.org/gpg4win-3.1.14.exe.sig
For gpg4win-3.1.14.tar.bz2:
https://files.gpg4win.org/gpg4win-3.1.14.tar.bz2.sig
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)
Previous public key (used up to 2016):
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)
Checking the signature is best done via the File Explorer: Right click on the file and use GpgEX options -> verify.
File lengths
If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:
29883400 bytes for gpg4win-3.1.14.exe 273321772 bytes for gpg4win-3.1.14.tar.bz2
