On Freitag, 17. Oktober 2025 12:32:51 Mitteleuropäische Sommerzeit Werner Koch via Gnupg-users wrote: > On Fri, 17 Oct 2025 09:19, have--- said: > > I reported a real-world cert validation error on a Microsoft platform, > > of Gpg4win 5 beta. The latest gpg4win-beta package (369) was > > published 2025-09-05, two months after cert expiry — thus, **the > > Nope. Your system is not up to date or something else is wrong at your > site. Here is the result on a freshly installed Windows 11 box:
In their original message the OP mentions that the latest gpg4win code signing certificate published at https://gpg4win.org/package-integrity.html has expired. That's correct. Werner should update the list of gpg4win code signing certificates on that page. What's incorrect is the OP's claim that the *current* gpg4win code signing certificate has expired. Werner has demonstrated that the latest Gpg4win beta release has been signed with a new valid code signing certificate. Obviously, the OP didn't check the code signing certificate that was used to sign the Gpg4win 5.0.0-beta369 release, but they blindly believed that https://gpg4win.org/package-integrity.html wasn't outdated and that Werner somehow managed to use an expired certificate for an Authenticode signature. I'm hard-pressed to believe that using an expired certificate for creating an Authenticode signature is even possible. By the way, one doesn't need Microsoft's OS for checking the signature. Using Linux it's pretty simple to check the certificate that was used. First we extract the signature: ``` $ osslsigncode extract-signature -pem -in gpg4win-5.0.0-beta369.exe \ -out gpg4win-5.0.0-beta369.exe.pem PE checksum : 028F186B Succeeded ``` And then we use openssl to list the certificates: ``` $ openssl pkcs7 -in gpg4win-5.0.0-beta369.exe.pem -print_certs -text Certificate: Data: Version: 3 (0x2) Serial Number: 27:1d:f9:34:50:4f:8e:38:3b:33:bc:e5 Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R45 CodeSigning CA 2020 Validity Not Before: Jun 5 12:43:59 2025 GMT Not After : Jun 5 12:43:59 2028 GMT Subject: C=DE, ST=Nordrhein-Westfalen, L=Erkrath, O=g10 Code GmbH, CN=g10 Code GmbH/[email protected] [...] ``` If I had bothered to track down and download the root CA certificate I could have even verified the signature with osslsigncode. I leave this as exercise for Mr. have. Maybe this will teach them not to make false claims about expired signatures while at the same time telling everybody that they should "use PQC *yesterday*". Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
