Can't verifying install - checksums don't match

Attempting to do a new install and verify it. My security certificate isn’t completely matching this webpage.
but also when I do a checksum of sha256 it doesn’t match the above webpage either?
my gpg4win-4.2.0.exe hash returns
Anyone know if there is a newer integrity certificate or ?

That looks good as you can see in the first line after the header SHA256 checksums on the page you linked.

How did you try to verify it? Did you read the wiki page for the verification?

Thanks for your reply.
I’m not sure where you see a match. I’ll be honest I’m new at this but attempting to be more proactive in what I’m installing.
My sha256 hash is this.

Where does that match anything from the certificate I’m supposing to be comparing like you suggest? Genuinely curious and want to learn here. Not questioning your response, I just don’t see it.

The Gpg4win exe installer is signed with the following code signing certificate (since 2022):

  S/N: 4F7382A39E57A34E167CF912

Issuer: CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE
Subject: 1.2.840.113549.1.9.1=#636F646540673130636F64652E636F6D,CN=g10 Code GmbH,O=g10 Code GmbH,L=Erkrath,ST=Nordrhein-Westfalen,C=DE
sha2_fpr: DF:B5:9B:70:5C:47:9E:4E:FF:34:AD:BF:F9:B8:DC:AF:5F:74:D3:F6:58:91:F3:8C:D1:B1:0D:C8:D3:F1:42:20
sha1_fpr: B2:85:2D:44:90:F6:55:EB:EA:DF:9F:FD:8D:09:2E:81:54:45:00:77
certid: 6E9CA841CF00ABF4F8929210FF478C9CAB578518.4F7382A39E57A34E167CF912
keygrip: A340DB2D0B82943E8AFD854C6366D5953014D583
notBefore: 2022-04-08 08:26:24
notAfter: 2025-07-02 12:12:13

and yes I’m using the wiki page the but the publisher match and file size are the only thing that matches. The rest is challenging to interpret for me. So I’m now checking the sha256 checksums and I expect them to match this, no?

Thank you.

To find the correct SHA256 checksum you have to scroll down a bit on the same page:

When you want to check the certificate please see if this guide in the wiki (it’s a different page than the one I linked above) can help you.

If you need more help please don’t hesitate to ask because than we can try to improve the wiki :slight_smile:

Got it, yes thank you. And you are right they do match, both sha1 and sha256.

Just a quick question though. why doesn’t most of my certificate match the one I expect from the integrity page? or perhaps the info needs to be presented in a way that would align with the cert? (for true noobs at this we mostly panic when things don’t look exactly like we expect.)

My cert has some things that match but I’d expect more if this was the certificate since 2002? on the package-integrity page.

Just wondering and attempting to learn. Thank you so much for your help.

Just a quick question though. why doesn’t most of my certificate match the one I expect from the integrity page?

I think there does fit very much :wink:

Right now I don’t have a Screenshot from the middle part of the details dialog so I can’t check if there are more matches.

What is more important: If you checked one checksum e.g. SHA256 and even saw that the certificate is from g10code (which is the company behind Gpg4win) you are already on the save side :slight_smile: You don’t have to check every little detail.

There are little differences, though, e.g. the colons in the checksums and using upper or lower characters in hexadecimal numbers.

The reason behind this is that many people exposed to checksums know that the colons and sometimes spaces are just formatting, they do not change the number itself.

And as we do not know how the certificate is presented we do not present in exactly the same way. So potentially we could improve the wiki with a basic page: how to compare checksums and long numbers in general?