Intevation, the company that hosts GnuPG does not maintain a secure TLS [archive] site for
gpg4win. To mitigate the threat from attackers using a man-in-the-middle attack to provide users with a forged version of GnuPG. Intevation offers a self-signed certificate which is again, secured by a certificate signed by GeoTrust [archive]. This certificate can be easily downloaded and imported.
Before placing Trust in CA certificates understand the risks associated with the Fallible Certificate Authority Model.
Download the Intevation CA certificate.
Figure: Download SDK Installer
Next, import the certificate.
Right-click Intevation-Root-CA-2016 file →
Install Certificate →
Right-click Open →
"check" Local Machine →
Right-click Next →
"check" Automatically select the certificate store based on the type of certificate →
Right-click Next →
When successful the Certificate Import Wizard will show "The import was successful". Click "OK" to exit.
The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archives [archive] for the Windows 10 SDK installer in the below instructions.
SignTools [archive] is a Windows command-line tool that uses Authenticode [archive] to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of Mirosoft Windows SDK [archive], which can be can be installed in just a few easy steps. Once installed it can be used to verify the
gpg4win package before installation.
Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk [archive]
Right-click Downloading The Installer →
Right-click Save →
When the the installer finishes loading.
Right-click Continue →
choose PATH →
C:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSKD →
Figure: Choose SDK installation path
The Windows SDK installer provides a number of different packages that can be installed. The only package needed for
gpg4win verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.
Figure: Select SignTools package
Once the box to the corresponding package is "checked", right-click Download. Once installation is complete the installer can be closed.
Figure: SDK download complete
The Intevation self-signed certificate will allow
gpg4win to be securely downloaded and
SignTool can then be used to verify the authenticity of the
gpg4win package itself.
Note: To simplify the SignTool verification process be sure to download
gpg4win package to the Downloads directory.
1. Download the
gpg4win package by first browsing to https://files.gpg4win.org [archive]
Next, scroll down and download the latest version of
gpg4win and the corresponding signature. At the time of writing (Jan 12 2020)
gpg4win-3.1.11.exe was the latest version. Since the Intevation CA certificate has been imported no errors should be encountered when the
gpg4win package is downloaded.
gpg4win package can be verified by running SignTool from the command prompt.
To open a command prompt, in the Windows Start Menu, run.
Next, from the command prompt, change to the Downloads directory.
Then verify the
gpg4win package using SignTool.
signtool verify /pa gpg4win-3-1.11.exe
The following output shows a successful
Figure: Successful verification
If verification fails delete the
gpg4win package and repeat the download and verification process again.