I have a few questions about checking the integrity of the gpg4win package. I browsed the topics on the forum and I think it will help others as well.
1 I have read the https://wiki.gnupg.org/Gpg4win/CheckIntegrity and I think that it is enough to get the entry Verified publisher: g10 Code GmbH in the User Account Control window Am I thinking correctly?
2 What the User Account Control window will display (i.e. the entry Verified publisher: g10 Code GmbH) should be compared with what we have on the page Gpg4win - Check Integrity in the Code Signing Certificate
As you can see, we only have g10 Code GmbH in the Subject: some data, CN=g10 Code GmbH,O=g10 Code GmbH, some data
So just compare the entry Verified publisher:… from the User Account Control window with CN=… 0=… from the topic with a code signing certificate from Gpg4win - Check Integrity?
I’m asking about all this because I want to know in the future how to check the integrity of gpg4win in case Verified publisher=… or values in CN=… and 0=… will change. Previously, we had the following data in the Code Signing Certificate:
Optional for some additional safety: compare the certificate of the publisher not just by name, but also by using the SHA256 hash checksum
because you want to make sure that it is exactly the certificate that the webpages announced. (The name should be good enough, if Microsoft and the certification service providers have all worked correctly. Then only good certificate authorities have their code signing certificates marked as trusted in Windows and they have also vetted the organisation that they were selling the code certificates.)
Yes, anyone with a code signing certificate can sign code for Windows, but the organisations “Intevation GmbH” and “g10 code GmbH” are the companies in Germany that have provided all the Gpg4win builds in recent years. You can look those companies up in official registers in Germany. (One is mine company.) If anyone was renamed or we shuffle responsibilities for other reasons, a new name may appear. In this case you would need to check if the new organisation is trustworthy.
Optional for some additional safety: compare the certificate of the publisher not just by name, but also by using the SHA256 hash checksum of the certificate (aka sha2_fpr). Some tools only display SHA1 to be compared with sha1_fpr, which is not as good as comparing SHA256, but still gives extra security over just comparing the name.
After entering the Show information about the publisher`s certificate In User Account Control
Later details
I only have Thumbprint. That is, the entry sha1_fpr in our Code Signing Certificate. Where should I look SHA256 hash checksum of the certificate (aka sha2_fpr)?
Of course, I also compare sha256 FILE with what is on the website. That is:
But this is a sha256 file check, not a certificate.
Please help
Can I feel safe if I check all of the values below?
1 Certificate publisher name 2 SHA1 of this certificate (its thumbprint) 3 SHA256 of the downloaded file
I don’t know how I can check the sha256 of the certificate being verified. I searched for instructions on the web, but I found only those that concern file verification (not certificate).
I don’t need to check sha256 of the downloaded file anymore?
I have one more question about signtool. I’ve never used it. Will signtool show me the sha256 of the certificate being checked? Of course, considering my version of Windows(which without signtool doesn’t show it).
I don’t know. There are probably different versions of signtool. SignTool - Win32 apps | Microsoft Learn does not say how the display of the certificates is done.
