English | Deutsch
Home »

Check integrity of Gpg4win packages

Usually you can use Microsoft's own methods to check that the installer is signed by one of the current code signing certificates listed below.

Microsoft will normally display the code signature in an user account control dialog when you try to execute the downloaded file; alternatively you can take a look in the file properties with the explorer.

Additional methods how to check the integrity can be found on the Wiki page on integrity checks.

Code Signing Certificate

All Gpg4win exe installer files since April 2016 are signed with the following code signing certificate:

      S/N: 1121A3D67EAB28AA86FD85728B57FA62630D
   Issuer: CN=GlobalSign CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: DE:16:D5:97:2F:0B:73:95:F7:D9:1E:DC:1F:21:9B:0F:FE:89:FA:B3
  md5_fpr: C0:98:08:94:D4:E7:97:3E:9D:F4:18:E4:5E:0A:2E:D7
notBefore: 2016-03-30 16:54:41
 notAfter: 2019-03-31 16:54:41

Previously used code signing certificates were:

      S/N: 112117F638BDC993B761C6073D63C2F86EC4
   Issuer: CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,L=Osnabrueck,ST=Niedersachsen,C=DE
 sha1_fpr: 15:94:27:DA:C1:6E:68:A4:DD:47:EF:04:D2:17:C5:56:00:CF:A0:EC
  md5_fpr: 35:64:A0:D5:FC:6A:58:83:B8:C4:F7:1F:1C:F9:A6:9E
notBefore: 2013-06-20 14:48:08
 notAfter: 2016-09-10 09:27:26

      S/N: 0100000000012A60AF8A8F
   Issuer: CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE
  Subject: 1.2.840.113549.1.9.1=#636F64657369676E696E6740696E7465766174696F6E2E6465,
           CN=Intevation GmbH,O=Intevation GmbH,C=DE
 sha1_fpr: B4:71:26:90:F0:3A:69:1E:F0:75:3F:8D:11:C9:EA:C3:6D:FB:7C:92
  md5_fpr: 80:0E:E2:F9:6F:AC:F4:16:0F:B2:AB:65:CA:82:22:55
notBefore: 2010-08-11 09:27:29
 notAfter: 2013-08-11 09:27:26

SHA256 checksums

0cf87835a914cb6fd1bcb32e8beee995b5da35c513f627356685c389df1be6cb  gpg4win-3.1.4.exe
aae3f8ac81dd7d928778d3075a1b9bb0b20c4b5e29e96014a39503e1f4b5e5a7  gpg4win-src-3.1.4.exe
eb68cfd593f12c50cc92aaaf616a3325a80beb8f60637e67a3296f687ab8b446  gpg4win-3.1.4.tar.bz2

SHA1 checksums

64194f372418b879a708ce7cd3ff7ca8606e993c  gpg4win-3.1.4.exe
316dd82b75ef3b6d77bb56567d17e94e07ec9128  gpg4win-src-3.1.4.exe
89ea985720b7b891b20822b60335f5920c86c478  gpg4win-3.1.4.tar.bz2

OpenPGP signatures

For gpg4win-3.1.4.exe: https://files.gpg4win.org/gpg4win-3.1.4.exe.sig
For gpg4win-src-3.1.4.exe: https://files.gpg4win.org/gpg4win-src-3.1.4.exe.sig
For gpg4win-3.1.4.tar.bz2: https://files.gpg4win.org/gpg4win-3.1.4.tar.bz2.sig

The signatures have been created with the following OpenPGP certificate:
Intevation File Distribution Key
(Fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8)


Since 2017 new releases are additionally signed with a new certificate that matches more modern key standards:
Intevation File Distribution Key
(Fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A)

The certificate can also be retrieved from OpenPGP certificate servers. Loading a certificate from a certificate server can be done e.g. via Kleopatra or GPA. Checking the signature of a file is best done with GpgEX via the Explorer.

File lengths

If you have a mismatch on the checksum or a bad signature you should first verify that you really downloaded the complete file. Here are the lengths you should get:

28467616  bytes for gpg4win-3.1.4.exe
228735592 bytes for gpg4win-src-3.1.4.exe
5428130   bytes for gpg4win-3.1.4.tar.bz2