Virustotal does not show new release as signed.

Gpg4win help-en
1

I’ve recently downloaded the 5.0.2 release, but when checking on Virustotal (which I usually do), it shows the file as without signature:

Screenshot 2026-03-16 at 17-12-02 VirusTotal - File - 11864cdc6dedd58c5448ab1c0868886e56bdad96972bc06dcd44b80f9e527051
Screenshot 2026-03-16 at 17-12-02 VirusTotal - File - 11864cdc6dedd58c5448ab1c0868886e56bdad96972bc06dcd44b80f9e5270511311×2569 284 KB

Why is this? In previous releases the file does show as signed:

Screenshot 2026-03-16 at 17-13-53 VirusTotal - File - 2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b
Screenshot 2026-03-16 at 17-13-53 VirusTotal - File - 2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b1303×3783 386 KB

2

I have no idea. But the signature is (as always) a detached signature and can be found here:
https://files.gpg4win.org/gpg4win-5.0.2.exe.sig

3

In this case there should be a code signature as part of the .exe file.

The detached OpenPGPv4/LibrePGP signature is only an optional addition.

4

And there is! :slight_smile:
Checked with windows 10 and with osslsigncode (see below).

So this seems to be a defect of Virustotal.

Details

osslsigncode verify gpg4win-5.0.2.exe 
Current PE checksum   : 02A6EDF9
Calculated PE checksum: 02A6EDF9

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : CC93AB9AFB1C86A7B69F07FA1FBC03B5D10B6C940B458F33949CA91D6C374E02 
Calculated message digest : CC93AB9AFB1C86A7B69F07FA1FBC03B5D10B6C940B458F33949CA91D6C374E02 

Signer's certificate:
        Signer #0:
                Subject: /C=DE/ST=Nordrhein-Westfalen/L=Erkrath/O=g10 Code GmbH/CN=g10 Code GmbH/emailAddress=code@g10code.com
                Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 CodeSigning CA 2020
                Serial : 271DF934504F8E383B33BCE5
                Certificate expiration date:
                        notBefore : Jun  5 12:43:59 2025 GMT
                        notAfter : Jun  5 12:43:59 2028 GMT

[..]

Authenticated attributes:
        Message digest algorithm: SHA256
        Message digest: C0AEA8428C06F38ADAAA3E9E5D940BAF97F86EF4366DBD35E0AB2057325FFF2D 
        Signing time: Mar 16 13:46:57 2026 GMT
        Microsoft Individual Code Signing purpose
        URL description: https://gnupg.org
        Text description: GnuPG

The signature is timestamped: Mar 16 13:46:58 2026 GMT
Hash Algorithm: sha256
[..]
5

I am getting this result:

$ osslsigncode verify gpg4win-5.0.2.exe
Current PE checksum   : 02A6EDF9
Calculated PE checksum: 02A6EDF9

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : CC93AB9AFB1C86A7B69F07FA1FBC03B5D10B6C940B458F33949CA91D6C374E02
Calculated message digest : CC93AB9AFB1C86A7B69F07FA1FBC03B5D10B6C940B458F33949CA91D6C374E02

Signer's certificate:
	Signer #0:
	        Subject: /C=DE/ST=Nordrhein-Westfalen/L=Erkrath/O=g10 Code GmbH/CN=g10 Code GmbH/emailAddress=code@g10code.com
	        Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 CodeSigning CA 2020
	        Serial : 271DF934504F8E383B33BCE5
	        Certificate expiration date:
		                notBefore : Jun  5 12:43:59 2025 GMT
		                notAfter : Jun  5 12:43:59 2028 GMT

Number of certificates: 2
	Signer #0:
	        Subject: /C=DE/ST=Nordrhein-Westfalen/L=Erkrath/O=g10 Code GmbH/CN=g10 Code GmbH/emailAddress=code@g10code.com
	        Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 CodeSigning CA 2020
	        Serial : 271DF934504F8E383B33BCE5
	        Certificate expiration date:
		                notBefore : Jun  5 12:43:59 2025 GMT
		                notAfter : Jun  5 12:43:59 2028 GMT
	------------------
	Signer #1:
	        Subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R45 CodeSigning CA 2020
	        Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Code Signing Root R45
	        Serial : 77BD0E03A1B708F854AB067210D90447
	        Certificate expiration date:
		                notBefore : Jul 28 00:00:00 2020 GMT
		                notAfter : Jul 28 00:00:00 2030 GMT

Authenticated attributes:
	Message digest algorithm: SHA256
	Message digest: C0AEA8428C06F38ADAAA3E9E5D940BAF97F86EF4366DBD35E0AB2057325FFF2D
	Signing time: Mar 16 19:46:57 2026 GMT
	Microsoft Individual Code Signing purpose
	URL description: https://gnupg.org
	Text description: GnuPG

The signature is timestamped: Mar 16 19:46:58 2026 GMT
Hash Algorithm: sha256
Timestamp Verified by:
	        Issuer : /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Timestamping CA - SHA384 - G4
	        Serial : 010332E165BF9B7843E099759463770B

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
CRL distribution point: http://crl.globalsign.com/gsgccr45codesignca2020.crl
TSA's CRL distribution point: http://crl.globalsign.com/ca/gstsacasha384g4.crl

Timestamp Server Signature verification: ok
Signature verification time: Mar 16 19:46:58 2026 GMT

PKCS7_verify error
C045CCB6:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:295:Verify error: unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Failed

I wonder if that error that is seen in the end is causing an issue to Virustotal.

6

unable to get local issuer certificate sounds like your system is missing a certificate from GlobalSign to be able to verify the signature.

7

Did not take into account that this is an older device, 32 bits. Will try from another device.

8

@jgratero for the osslsigncode I’ve left out the missing certificate. It shows that the signature is there. And Microsoft windows accepts it fully. (Go to the properties of the downloaded files. And look there).

Yes a missing certificate can be a cause of trouble for Windows as well. The issuing chain for the Authenticode signature came with an update for Windows (as few years ago).

Still osslsigncode shows that the signature is there. :slight_smile: