gpg4win expired code signing cert; please renew.
have at anonymous.sex
have at anonymous.sex
Wed Oct 15 22:53:55 CEST 2025
The current gpg4win code signing certificate[0] is notAfter: 2025-07-02
12:12:13. I wish to alert the gpg4win developers so they can renew it,
and release gpg4win 5 (and other) packages signed with the new cert. My
apologies if this is not an appropriate list; gpg4win-users-en and
gpg4win-devel both seem dead.
Please note, I absolutely never use Microsoft anything, I do not use
gpg4win, and I cannot check this myself. I am remotely/anonymously
urging a GnuPG newbie to install gpg4win 5 beta[1] with post-quantum
encryption; everyone should use PQC *yesterday*.[2] Since the user does
not yet have a bootstrap gpg, they cannot verify the PGP signature from
Werner Koch’s dist signing key. The user wisely tried to verify package
integrity with Microsoft code signing, and asked me what the expired
cert error meant instead of ignoring it.
Good user! Do not ignore certificate validation errors! Complain
loudly!
Always,
have at anonymous.sex
[0] https://gpg4win.org/package-integrity.html
[1] https://gpg4win.org/version5.html
[2] https://lists.gnupg.org/pipermail/gnupg-users/2025-January/067441.html
--
A makeshift way to distribute my current PQ-PGP (LibrePGP v5) key:
https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250107/4732a382/attachment.key
Fingerprint:
01A6D81EEAD7EEEC393DEC1401F4894C154E1B8EE32E9059CA5566792A836823
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 297 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251015/0a0446cd/attachment.sig>
More information about the Gnupg-users
mailing list