The executables for gpg4win are signed and we’re encouraged to verify them. But they’re not signed with the gnugpg.net or any of the other listed services (according to the download page), but with the private company globalsigning. So how do we set up to use a private company like GS? I searched their site, but all they wanted to do was sell certificates, not tell me where to find them, look them up, or what the key server address was.
Never mind. As is so often the case, after hours of research, I realize my mistake only AFTER posting a question. I was mistaking the code certificates (for installations) for the verification certificates.
Hi Mark,
thanks for trying Gpg4win.
Sorry to hear that it took you a long time to find a solution for your mistake.
What was the point where you were missing information?
Maybe we can improve it?
It’s just my opinion, but finding the certificate was somewhat opaque, while finding the code certificate was relatively easy. The download page has a link to the signature file right next to the download button, but there’s nothing on the page with the certificate. You have to read the page closely to find the little link with the word “verify” on it.
Then, when you click through, you come to a page with 4 titles in big bold headings. My eye swept down and came to the one with “Certificate” in it’s title. Since I never think of code certificates, I it didn’t occur to me that it was referring to the CODE certificate which was different from the OpenPGP certificate. At least not immediately.
The actual certificate was mentioned further up the page in smaller font after the PGP signature listing (which I skipped because I had already found the signature file on the download page.)
So, basically, it would have helped if the openPGP certificate was linked right next to where the signature file was linked on the download page OR if there was a section on the “verify” page with a bold heading for the openPGP certificate.
But this is just my opinion. I don’t verify signatures that often. Maybe others that do the drill all the time wouldn’t have been confused.