Tuesday, April 11, 2006

How to verify GnuPG 1.4.3 (and Gpg4win 1.0.0)

Obviously, when you see something like
GnuPG 1.4.3 released
you will want to verify that what you just downloaded is the real thing, before you trust it. Here is how.

gpg --verify gnupg-1.4.3.tar.bz2.sig

This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key.

Note, that you can retrieve the signing key using the command
finger wk@g10code.com
or using a keyserver like
gpg --recv-key 1CE0C630

The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!

* If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.3.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.3.tar.bz2
and check that the output matches the first line from the following list:

9e96b36e4f4d1e8bc5028c99fac674482cbdb370 gnupg-1.4.3.tar.bz2 7c0f5db594bed9a901d9be43c31f6c80c6080141 gnupg-1.4.3.tar.gz 5477211551e96ad689c7618ee39a2b9c186721ef gnupg-1.4.2.2-1.4.3.diff.bz2 abf49fa5dc71e291144780d47f2811d83ae5e1ba gnupg-w32cli-1.4.3.exe


And of course, the announcement:
"After struggling for 6 month with Windows pecularities, we are finally pleased to announce the *first stable release of Gpg4win*, version 1.0.0! (located here: Gpg4win 1.0.0 released)"
should lead you to do similar verification.

Regarding Gpg4win, if you are stuck on such a platform:
The *ready to use installer* is available at:

http://ftp.gpg4win.org/gpg4win-1.0.0.exe (6.8M) http://ftp.gpg4win.org/gpg4win-1.0.0.exe.sig

SHA1 and MD5 checksums are given below.

SHA1 checksum:
c0ccd90c9aec23447bcd883cfd0602712967cfc6 gpg4win-1.0.0.exe
MD5 checksum:
299fa8567a484ea32706b11d318dbe9a gpg4win-1.0.0.exe

Building the installer is not possible on Windows machines and works best on current Debian GNU/Linux systems (we use the mingw32 package from Sid).

It is of course "interesting" that you can not build the installer on that platform.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)