Actions

Template

Download and Verify GPG4win in Windows

From Whonix

Import the Intevation CA Certificate[edit]

Intevation, the company that hosts GnuPG does not maintain a secure TLS [archive] site for gpg4win.[1] To mitigate the threat from attackers using a man-in-the-middle attack to provide users with a forged version of GnuPG. Intevation offers a self-signed certificate which is again, secured by a certificate signed by GeoTrust [archive]. This certificate can be easily downloaded and imported.

Before placing Trust in CA certificates understand the risks associated with the Fallible Certificate Authority Model.

Download the Intevation CA certificate.

Figure: Download SDK Installer

Get windows sdk installer.png

Next, import the certificate.

  • Right-click Intevation-Root-CA-2016 fileInstall CertificateRight-click Open"check" Local MachineRight-click Next"check" Automatically select the certificate store based on the type of certificateRight-click NextRight-click Finish.

When successful the Certificate Import Wizard will show "The import was successful". Click "OK" to exit.

Install SignTools[edit]

The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archives [archive] for the Windows 10 SDK installer in the below instructions.

SignTools [archive] is a Windows command-line tool that uses Authenticode [archive] to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of Mirosoft Windows SDK [archive], which can be can be installed in just a few easy steps. Once installed it can be used to verify the gpg4win package before installation.

Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk [archive]

  • Right-click Downloading The InstallerRight-click SaveRight-click Run.

When the the installer finishes loading.

  • Right-click Continuechoose PATHC:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSKDRight-click Next.

Figure: Choose SDK installation path

Sdk installer specify download path.png

The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.

Figure: Select SignTools package

Select sdk features for download.png

Once the box to the corresponding package is "checked", right-click Download. Once installation is complete the installer can be closed.

Figure: SDK download complete

Sdk installer download complete.png

Download and Verify GPG4win[edit]

The Intevation self-signed certificate will allow gpg4win to be securely downloaded and SignTool can then be used to verify the authenticity of the gpg4win package itself.

Note: To simplify the SignTool verification process be sure to download gpg4win package to the Downloads directory.

1. Download the gpg4win package by first browsing to https://files.gpg4win.org [archive]

Next, scroll down and download the latest version of gpg4win and the corresponding signature. At the time of writing (Jan 12 2020) gpg4win-3.1.11.exe was the latest version. Since the Intevation CA certificate has been imported no errors should be encountered when the gpg4win package is downloaded.

2. The gpg4win package can be verified by running SignTool from the command prompt.

To open a command prompt, in the Windows Start Menu, run.

cmd.exe

Next, from the command prompt, change to the Downloads directory.

cd C:\Users\<your_user_name>\Downloads

Then verify the gpg4win package using SignTool.

signtool verify /pa gpg4win-3-1.11.exe

The following output shows a successful gpg4win verification.

Figure: Successful verification

Signtool verify gpg4win success.png


If verification fails delete the gpg4win package and repeat the download and verification process again.

  1. See: Getting a GnuPG version for Windows in a secure way: https://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html [archive]