Gpg4win - Check Integrity

Check integrity of Gpg4win packages

How to actually perform the checks can be found e.g. on the GnuPG web page on integrity checks.

Code Signing Certificate

All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:

      S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
  md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
 notAfter: 2019-03-31 16:54:41

Previously used code signing certificates were:

      S/N: 112117F638BDC993B761C6073D63C2F86EC4
   Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
  md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
 notAfter: 2016-09-10 09:27:26

      S/N: 0100000000012A60AF8A8F
   Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,C=DE
 sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
  md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
 notAfter: 2013-08-11 09:27:26

SHA256 checksums

2565bf6faf8defb8fa61b0b1a30f0e68e2ca5ceb3177d08516e00ca1620252bf  gpg4win-3.0.0.exe
08cdc060fab1b6a68246dffedbde185c1cd2646d28a7f02e90a4f11415aecb7b  gpg4win-src-3.0.0.exe
120cd3e8826d6e3e9f35b86b59973e8d1dd7ce713a42c20fe9493f720cf3569c  gpg4win-3.0.0.tar.bz2

SHA1 checksums

8262d1818b4f9a890ce6182cafdb9510387e88e0  gpg4win-3.0.0.exe
0bf0066d57f0a51ecbfefbbd165cda33586a558e  gpg4win-src-3.0.0.exe
2dc412675632da44c7f4dc120f1b2e866e350573  gpg4win-3.0.0.tar.bz2

OpenPGP signatures

For gpg4win-3.0.0.exe: https://files.gpg4win.org/gpg4win-3.0.0.exe.sig
For gpg4win-src-3.0.0.exe: https://files.gpg4win.org/gpg4win-src-3.0.0.exe.sig
For gpg4win-3.0.0.tar.bz2: https://files.gpg4win.org/gpg4win-3.0.0.tar.bz2.sig

The signatures have been created with the following OpenPGP certificate:
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)

Since 2017 new releases are additionally signed with a new certificate that matches more modern key standards:
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)

The certificate can also be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.

File lengths

If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:

27164864  bytes for gpg4win-3.0.0.exe
226593952 bytes for gpg4win-src-3.0.0.exe
6481987   bytes for gpg4win-3.0.0.tar.bz2