On Fri, 17 Oct 2025 09:33:38 +0200, Werner Koch <[email protected]> wrote:
Further: Authenticode signatures have a timestamp and thus you have assurance when they were issued.Gpg4win 5.0 is not too far away.
I don’t know if it was clear amidst other discussions on this thread: I reported a real-world cert validation error on a Microsoft platform, of Gpg4win 5 beta. The latest gpg4win-beta package (369) was published 2025-09-05, two months after cert expiry — thus, **the Authenticode timestamp does not help.** Prior discussion of the Authenticode timestamp, which I hope was not misplaced in topic drift:
https://lists.gnupg.org/pipermail/gnupg-users/2025-October/067899.html(I messed up my PGP authentication on the metadata of that post, whoops! msg sig ok. Did anyone notice?)
IMO, a bad Authenticode signature which *actually* fails validation with error on Microsoft OS is a bug in beta-369. Well, beta means to shake out bugs! I respectfully suggest these fixes:
1. A gpg4win-5-beta version bump, with a valid Authenticode sig on new binary packages (and any other recent beta bugfixes).
2. Review gpg4win release engineering procedure to add guardrail check for invalid Authenticode sig. To protect non-beta releases, too, automated regression test should catch the *bad signature* that causes Microsoft platform error on (AFAIK) the gpg4win-5.0.0-beta369.exe binary. Security software should not have any security failures of software supply chain integrity checks.
I’m sorry, I cannot contribute any patch. I can’t even check the Authenticode sig myself. I don’t have any Authenticode stuff on my machine. I do not use Gpg4win! A Microsoft user told me of in-the-wild failure on a Microsoft platform; I pieced together the rest of the puzzle.
I myself can easily verify your PGP dist sig. But this does not help the PGP-newbie Microsoft user, with whom I am communicating remotely/anonymously from my never-Microsoft platform. My machine says:
impurify@sex:~/dl/gpg4win$ gpg --verify gpg4win-5.0.0-beta369.exe.sig gpg4win-5.0.0-beta369.exe gpg: Signature made Fri Sep 5 12:08:09 2025 UTC gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Good signature from "Werner Koch (dist signing 2020)" Primary key fingerprint: 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
(I will try to hold topic-drift replies in abeyance until this primary issue is adequately addressed.)
Always, [email protected] -- A makeshift way to distribute my current PQ-PGP key: https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250107/4732a382/attachment.key 01A6D81EEAD7EEEC393DEC1401F4894C154E1B8EE32E9059CA5566792A836823
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
