When I tried to use Kleopatra to verify the
Verified ‘gpg4win-4.4.1.exe’ with ‘gpg4win-4.4.1.exe.sig’: The data could not be verified.
Signature created on Wednesday, 21 May 2025 17.44.44
With unavailable certificate:
ID: 0x6DAA6E64A76D2840571B4902528897B826403ADA
You can search the certificate on a keyserver or import it from a file.
The certificate used is out of date:
Yes, the certificate is currently expired, but at the time of the signature, it was not.
So the verification still passes:
$ gpg --verify gpg4win-4.4.1.exe.sig
gpg: assuming signed data in 'gpg4win-4.4.1.exe'
gpg: Signature made Wed 21 May 2025 17:44:44 CEST
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: please do a --check-trustdb
gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown]
This has nothing to do with gui vs. cli.
Before the verification can proceed you need to verify the authenticity of the signing key and then certify it with your own key to inform gpg that you trust that the key really is the dist signing key. The verification is the most important part, anybody can attach any name to a key they generate. A signature by a random person on the internet is worthless.
So how do I verify the authenticity of the signing key in the gui? Everything I’ve tried has failed, but I guess in the scheme of things, trying to verify something that 99.999% is legit might not be worth it.
this always depends on the use case, or your threat model. you must decide what level of trust is good enough for you. FWIW, you can find the signing keys on the GnuPG homepage. unless you believe that site was compromised to begin with, that should probably give you good enough confindence that what you have downloaded was actually compiled and packaged by the official vendor.
