First, many apologies if this is off-topic - I don’t seem to be able to get to file a bug as my Github account won’t talk to something called “Phabricator”… and I’m not even certain to what extent the Gpg4win projects is associated with GnuPG, though their bug report form redirects here.
I’m guessing this is minor and “bookkeeping” but I’ve just pulled down the latest/new Gpg4win installer from Gpg4win.org, and the certificate it’s signed with is expired. In particular, the g10 Code GmbH s/n 4f7382a39e57a34e167cf912 expired on 02Jul25; that cert is listed on the Gpg4win - Check Integrity page but not as being “current”.
Happy to do whatever is necessary to report this properly, but as I don’t have much to do with the project (I’m a GPGTools user primarily), it wasn’t clear where I should focus my efforts.
The certificate was valid at the time of issuance and has been extended/renewed since then. But the previous release just hasn’t been re-signed with the renewed key as that “would require to entirely unpack
everything, resign the binaries, create a new installer and sign that
new installer. That is a different software then and requires a new
version.” (Source)
There was a lengthy discussion of this on the mailing list back in October: gpg4win expired code signing cert; please renew. (The thread is so long because it also started lots of off-topic discussions).