English |
Check integrity of Gpg4win packages
How to actually perform the checks can be found e.g. on the GnuPG web page on integrity checks.
SHA1 checksums
26c38609dd4e67bbee65091d09f35356dcac0b58 gpg4win-2.3.4.exe d3c64e1ad616035d1b6cfc4692ca914e69e35394 gpg4win-light-2.3.4.exe 1f280bfc72b61c48785f913b3663a1444a4c9a32 gpg4win-vanilla-2.3.4.exe c895737d1f8b6dc89a6437c6224de3927970bc0a gpg4win-src-2.3.4.exe d53469b76c2d49ed159f8e30b2a867013e89eb79 gpg4win-2.3.4.tar.bz2
OpenPGP signatures
For gpg4win-2.3.4.exe:
https://files.gpg4win.org/gpg4win-2.3.4.exe.sig
For gpg4win-light-2.3.4.exe:
https://files.gpg4win.org/gpg4win-light-2.3.4.exe.sig
For gpg4win-vanilla-2.3.4.exe:
https://files.gpg4win.org/gpg4win-vanilla-2.3.4.exe.sig
For gpg4win-src-2.3.4.exe:
https://files.gpg4win.org/gpg4win-src-2.3.4.exe.sig
For gpg4win-2.3.4.tar.bz2:
https://files.gpg4win.org/gpg4win-2.3.4.tar.bz2.sig
The signatures have been created with the following OpenPGP certificate
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)
Since 2017 new releases are additionally signed with a new certificate that
matches more modern key standards:
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)
The certificate can also be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.
File lengths
If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:
25677520 bytes for gpg4win-2.3.4.exe 8508216 bytes for gpg4win-light-2.3.4.exe 3365384 bytes for gpg4win-vanilla-2.3.4.exe 294580128 bytes for gpg4win-src-2.3.4.exe 5900252 bytes for gpg4win-2.3.4.tar.bz2
Code Signing Certificate
All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:
S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
notAfter: 2019-03-31 16:54:41
Previously used code signing certificates were:
S/N: 112117F638BDC993B761C6073D63C2F86EC4
Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
notAfter: 2016-09-10 09:27:26
S/N: 0100000000012A60AF8A8F
Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,CN=Intevation GmbH,O=Intevation GmbH,C=DE
sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
notAfter: 2013-08-11 09:27:26
