gpg4win expired code signing cert; please renew.

Jay Acuna mysidia at gmail.com
Thu Oct 16 03:00:25 CEST 2025 

On Wed, Oct 15, 2025 at 4:41 PM have--- via Gnupg-users
<gnupg-users at gnupg.org> wrote:

> The current gpg4win code signing certificate[0] is notAfter: 2025-07-02
> 12:12:13.  I wish to alert the gpg4win developers so they can renew it,
> and release gpg4win 5 (and other) packages signed with the new cert.  My

Well they will need it when the time for their next release comes, obviously.

I don't suggest x509 PKI as the way to authenticate software, but it doesn't
have this problem. It's not important for running the older releases whether
the certificate is good to sign new releases or not.

A code signing certificate expiration affects their capability to sign
new binaries; existing
ones that have already been signed are unaffected and still verify
perfectly good.
The certificate is not invalid. It has a validity period for
signatures made by it notAfter
July 2, 2025. The key word is new signatures made by it.  The signing date
of May 21, 2025 is within the validity period, so the certificate is
valid and good.
.
At least until 2034 when the timestamping root authority's certificate expires;
and possibly every signed binary ever becomes invalid.

The gpg4 certificate and its signature are valid and good, so long the signing
timestamp  authenticates as within the validity period of the certificate,
which it does.  The signing certificate is still good and valid for signature
made on "Wed May 21 10:43:55 2025"

      C:\temp>"\Program Files (x86)\Windows
Kits\10\bin\10.0.26100.0\x64\signtool.exe" verify /pa /v
gpg4win-4.4.1.exe

      Verifying: gpg4win-4.4.1.exe

      Signature Index: 0 (Primary Signature)
      Hash of file (sha256):
D42C2645CB91037DF718534C6FDB918D4C5D7E9E114454DCFF524D1B815F6FCF

      Signing Certificate Chain:
          Issued to: GlobalSign
          Issued by: GlobalSign
          Expires:   Sun Mar 18 05:00:00 2029
          SHA1 hash: D69B561148F01C77C54578C10926DF5B856976AD

              Issued to: GlobalSign Code Signing Root R45
              Issued by: GlobalSign
              Expires:   Sat Mar 17 19:00:00 2029
              SHA1 hash: 4C5D80D2CD06B1A493C49B2E9BED4A57C2F873E5

                  Issued to: GlobalSign GCC R45 CodeSigning CA 2020
                  Issued by: GlobalSign Code Signing Root R45
                  Expires:   Sat Jul 27 19:00:00 2030
                  SHA1 hash: 7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32

                      Issued to: g10 Code GmbH
                      Issued by: GlobalSign GCC R45 CodeSigning CA 2020
                      Expires:   Wed Jul 02 07:12:13 2025
                      SHA1 hash: B2852D4490F655EBEADF9FFD8D092E8154450077

      The signature is timestamped: Wed May 21 10:43:55 2025
      Timestamp Verified by:
          Issued to: GlobalSign
          Issued by: GlobalSign
          Expires:   Sat Dec 09 19:00:00 2034
          SHA1 hash: 8094640EB5A7A1CA119C1FDDD59F810263A7FBD1

              Issued to: GlobalSign Timestamping CA - SHA384 - G4
              Issued by: GlobalSign
              Expires:   Sat Dec 09 19:00:00 2034
              SHA1 hash: F585500925786F88E721D235240A2452AE3D23F9

                  Issued to: Globalsign TSA for Advanced - G4
                  Issued by: GlobalSign Timestamping CA - SHA384 - G4
                  Expires:   Sat Dec 09 19:00:00 2034
                  SHA1 hash: B215CCA4001D61C60DDBFBF87F17BF2DD3383BF8


      Successfully verified: gpg4win-4.4.1.exe

      Number of files successfully Verified: 1
      Number of warnings: 0
      Number of errors: 0
      C:\temp>

--
-JA

More information about the Gnupg-users mailing list