English | Deutsch
Home »

Check integrity of Gpg4win packages

Usually you can use Microsoft's own methods to check that the installer is signed by one of the current code signing certificates listed below.

Microsoft will normally display the code signature in an user account control dialog when you try to execute the downloaded file; alternatively you can take a look in the file properties with the explorer.

Additional methods how to check the integrity can be found on the Wiki page on integrity checks.

Code Signing Certificate

The Gpg4win exe installer is signed with the following code signing certificate (since 2022):

      S/N: 4F7382A39E57A34E167CF912
   Issuer: CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F646540673130636F64652E636F6D,CN=g10 Code GmbH,O=g10 Code GmbH,L=Erkrath,ST=Nordrhein-Westfalen,C=DE
 sha2_fpr: DF:B5:9B:70:5C:47:9E:4E:FF:34:AD:BF:F9:B8:DC:AF:5F:74:D3:F6:58:91:F3:8C:D1:B1:0D:C8:D3:F1:42:20
 sha1_fpr: B2:85:2D:44:90:F6:55:EB:EA:DF:9F:FD:8D:09:2E:81:54:45:00:77
   certid: 6E9CA841CF00ABF4F8929210FF478C9CAB578518.4F7382A39E57A34E167CF912
  keygrip: A340DB2D0B82943E8AFD854C6366D5953014D583
notBefore: 2022-04-08 08:26:24
 notAfter: 2025-07-02 12:12:13

Previously used code signing certificates were:

      S/N: 2F48FAE3C9E7B142B9A8B259
   Issuer: CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F646540673130636F64652E636F6D,CN=g10 Code GmbH,O=g10 Code GmbH,L=Erkrath,ST=Nordrhein-Westfalen,C=DE
 sha2_fpr: B7:15:C7:C6:11:5A:99:A8:B1:C2:91:BE:68:90:BB:EE:AD:42:EE:2F:F6:17:78:E3:66:A0:1A:21:4E:FD:D8:00
 sha1_fpr: 87:94:97:61:BE:B0:7B:FD:0B:90:F3:76:1F:1D:3E:3F:CC:3C:4D:B3
   certid: 6E9CA841CF00ABF4F8929210FF478C9CAB578518.2F48FAE3C9E7B142B9A8B259
  keygrip: 353A5BE748A8622E4D121DB3340A4EC1D4058BE1
notBefore: 2021-04-21 16:45:15 UTC
 notAfter: 2022-06-02 12:12:13 UTC

      S/N: 39E684F05C48911BAFB37629
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F646540673130636F64652E636F6D,
           CN=g10 Code GmbH,O=g10 Code GmbH,L=Erkrath,ST=Nordrhein-Westfalen,C=DE
 sha2_fpr: E0:4D:CD:E2:C9:EA:51:F3:34:63:CC:16:05:F2:9E:01:C2:84:F1:8F:ED:C8:E6:A6:42:05:EE:81:11:EF:BE:8C
 sha1_fpr: 42:DE:0F:25:84:8B:D2:E4:41:62:E1:BF:29:CD:97:0E:EB:70:F6:48
  md5_fpr: 89:A8:7B:01:99:1B:74:AD:75:86:20:C3:AF:36:9E:76
notBefore: 2019-04-23 05:54:41 UTC
 notAfter: 2022-06-02 12:12:13 UTC

      S/N: 53F647D0F1DBA9E312A05669
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE 
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: C1:3A:65:96:3A:D5:3E:78:69:4D:D2:23:D5:18:00:77:91:A0:5F:E4
  md5_fpr: 4C:AD:36:5A:30:06:B0:A3:6D:BB:1E:30:1E:44:4E:17
notBefore: 2019-03-13 12:15:07
 notAfter: 2022-04-30 16:54:41

      S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
  md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
 notAfter: 2019-03-31 16:54:41

      S/N: 112117F638BDC993B761C6073D63C2F86EC4
   Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
  md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
 notAfter: 2016-09-10 09:27:26

      S/N: 0100000000012A60AF8A8F
   Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,C=DE
 sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
  md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
 notAfter: 2013-08-11 09:27:26

SHA256 checksums

1583979e2400e6dba6f881db81c5ff72747af3c6b106e9face2323c68793a8a7  gpg4win-4.0.2.exe
5b2dc8df86dac22c4da80c33827b58692e4426bfb99696a67a1ef73688378d96  gpg4win-4.0.2.tar.bz2

SHA1 checksums

5bf307c0e7de31e94572d97cca6ef1d8be5008af  gpg4win-4.0.2.exe
7d9bd6cfd189b364a02586159b6b995f1fc7bba2  gpg4win-4.0.2.tar.bz2

OpenPGP signatures

For gpg4win-4.0.2.exe: https://files.gpg4win.org/gpg4win-4.0.2.exe.sig
For gpg4win-4.0.2.tar.bz2: https://files.gpg4win.org/gpg4win-4.0.2.tar.bz2.sig

Since 2021 the signatures are created by one of the official GnuPG release keys (aka certificates) they can be obtained from the GnuPG Homepage or downloaded from public keyservers.

Previous public key (used up to 2021):
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)

Previous public key (used up to 2016):
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)

Checking the signature is best done via the File Explorer: Right click on the file and use GpgEX options -> verify.

File lengths

If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:

31002960  bytes for gpg4win-4.0.2.exe
214952377   bytes for gpg4win-4.0.2.tar.bz2