English | Deutsch
Home »

Check integrity of Gpg4win packages

How to actually perform the checks can be found e.g. on the GnuPG web page on integrity checks.

SHA1 checksums

26c38609dd4e67bbee65091d09f35356dcac0b58  gpg4win-2.3.4.exe
d3c64e1ad616035d1b6cfc4692ca914e69e35394  gpg4win-light-2.3.4.exe
1f280bfc72b61c48785f913b3663a1444a4c9a32  gpg4win-vanilla-2.3.4.exe
c895737d1f8b6dc89a6437c6224de3927970bc0a  gpg4win-src-2.3.4.exe
d53469b76c2d49ed159f8e30b2a867013e89eb79  gpg4win-2.3.4.tar.bz2

OpenPGP signatures

For gpg4win-2.3.4.exe: https://files.gpg4win.org/gpg4win-2.3.4.exe.sig
For gpg4win-light-2.3.4.exe: https://files.gpg4win.org/gpg4win-light-2.3.4.exe.sig
For gpg4win-vanilla-2.3.4.exe: https://files.gpg4win.org/gpg4win-vanilla-2.3.4.exe.sig
For gpg4win-src-2.3.4.exe: https://files.gpg4win.org/gpg4win-src-2.3.4.exe.sig
For gpg4win-2.3.4.tar.bz2: https://files.gpg4win.org/gpg4win-2.3.4.tar.bz2.sig

The signatures have been created with the following OpenPGP certificate
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)


Since 2017 new releases are additionally signed with a new certificate that matches more modern key standards:
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)

The certificate can also be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.

File lengths

If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:

25677520  bytes for gpg4win-2.3.4.exe
8508216   bytes for gpg4win-light-2.3.4.exe
3365384   bytes for gpg4win-vanilla-2.3.4.exe
294580128 bytes for gpg4win-src-2.3.4.exe
5900252   bytes for gpg4win-2.3.4.tar.bz2

Code Signing Certificate

All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:

      S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
  md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
 notAfter: 2019-03-31 16:54:41

Previously used code signing certificates were:

      S/N: 112117F638BDC993B761C6073D63C2F86EC4
   Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
  md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
 notAfter: 2016-09-10 09:27:26
      S/N: 0100000000012A60AF8A8F
   Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,C=DE
 sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
  md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
 notAfter: 2013-08-11 09:27:26