English |
Check integrity of Gpg4win packages
Usually you can use Microsoft's own methods to check that the installer is signed by one of the current code signing certificates listed below.
Microsoft will normally display the code signature in an user account control dialog when you try to execute the downloaded file; alternatively you can take a look in the file properties with the explorer.
Additional methods how to check the integrity can be found on the Wiki page on integrity checks.
Code Signing Certificate
All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:
S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
notAfter: 2019-03-31 16:54:41
Previously used code signing certificates were:
S/N: 112117F638BDC993B761C6073D63C2F86EC4
Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
notAfter: 2016-09-10 09:27:26
S/N: 0100000000012A60AF8A8F
Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
CN=Intevation GmbH,O=Intevation GmbH,C=DE
sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
notAfter: 2013-08-11 09:27:26
SHA256 checksums
ba2c4ac4cf9a44e19611f86ece4bafa71a5ef02553a1652a73b9037c74608b69 gpg4win-3.1.7.exe d559a128bb983bb4241c4c1ac1657bcc8d3eea180af4166bd4a12eaad4f4f399 gpg4win-src-3.1.7.exe 1bc9ea9f2703cfe6878885507bb8d35a5a98cbda69ebe6bdbe909dd11d764e7f gpg4win-3.1.7.tar.bz2
SHA1 checksums
bd1d8a11b71dc8ef4ea856ffac0440d9005a9c40 gpg4win-3.1.7.exe 63644661a59ada50d33edbf986c4357e39fb8857 gpg4win-src-3.1.7.exe 8e5311fe3e8201ebf7a102d7952d147701a5dac3 gpg4win-3.1.7.tar.bz2
OpenPGP signatures
For gpg4win-3.1.7.exe:
https://files.gpg4win.org/gpg4win-3.1.7.exe.sig
For gpg4win-src-3.1.7.exe:
https://files.gpg4win.org/gpg4win-src-3.1.7.exe.sig
For gpg4win-3.1.7.tar.bz2:
https://files.gpg4win.org/gpg4win-3.1.7.tar.bz2.sig
The signatures have been created with the following OpenPGP certificate:
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)
Since 2017 new releases are additionally signed with a new certificate that
matches more modern key standards:
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)
The certificate can also be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.
File lengths
If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:
28864592 bytes for gpg4win-3.1.7.exe 233124760 bytes for gpg4win-src-3.1.7.exe 5425957 bytes for gpg4win-3.1.7.tar.bz2
