gpg4win Download verification

anon68608758 · February 18, 2016, 6:15am

I have downloaded gpg4win-2.3.0 from the official website and tried to verify the signature (after downloading the signature as well, file ending with .exe.sig) - I am getting the following output. Is this valid? or some problem with the download.

gpg --verify gpg4win-2.3.0.exe.sig gpg4win-2.3.0.exe
gpg: Signature made 11/24/15 13:06:13 Central Standard Time using DSA key ID EC70B1B8
gpg: Good signature from “Intevation File Distribution Key distribution-key@intevation.de” unknown
gpg: WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.
Primary key fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8

I checked the past fingerprints as listed on https://www.gnupg.org/signature_key.html - but didn’t found the one above.

My installed version is gpg 2.0.27 <Gpg4win 2.2.4)
libgcrypt 1.6.3…
OS: Windows 7 Home SP1

Thanks,

anon63938304 · February 18, 2016, 7:17pm

If this is the first time you are dealing with that signature, it is asking if you trust it. Answer yes if you do. Then it will be a trusted signature and in the future it won’t ask you about that one again.

anon68608758 · February 19, 2016, 3:27am

Curious though as to why the Fingerprint not matching with all versions published so far.

bernhard · February 19, 2016, 7:37am

Hi Tap, Hi Greg!

The Gpg4win installer is finally compiled and signed by Intevation
and not by Werner’s g10code. This is why https://www.gnupg.org/signature_key.html
does not have Intevation’s OpenPGP certificate.

One way to verify it (a bit) is using https://ssl.intevation.de
Another is to use the web of trust.

Best,
Bernhard

anon68608758 · February 19, 2016, 12:52pm

Thanks to both of you for helping.