The signature in gpg4win-2.3.3.exe.sig is an OpenPGP signature, which you can verify through GnuPG (but Windows has no support for OpenPGP). You're comparing different kinds of signatures. I am comparing the sha1_fpr to the primary key fingerprint. GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE My concern is that the primary key fingerprint does not match the code signing certificate on their web-site:Ĭode Signing Certificate All Gpg4win exe installer files since AprilĢ016 are signed with the following code signing certificate: S/N: 1121A3D67EAB28AA86FD85728B57FA62630D Gpg: binary signature, digest algorithm SHA1 Primary key fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8 Gpg: There is no indication that the signature belongs to the owner. Gpg: WARNING: This key is not certified with a trusted signature! Gpg: Good signature from "Intevation File Distribution Key " Gpg: Signature made Thu 05:20:50 AM EDT using DSA key ID EC70B1B8 I have access to a machine that has a verified GnuPG installation. I am attempting to verify that the GPG4win file I downloaded is actually legit.
0 Comments
Leave a Reply. |