gpg4win expired code signing cert; please renew.

have at anonymous.sex have at anonymous.sex
Fri Oct 17 11:19:54 CEST 2025 

Hi, WK@, thanks for your attention to this.  Please note up top that 
this is a bug report about a beta release.

On Fri, 17 Oct 2025 09:33:38 +0200, Werner Koch <wk at gnupg.org> wrote:

>Further: Authenticode signatures have a timestamp and thus you have 
>assurance when they were issued.
>
>Gpg4win 5.0 is not too far away.

I don’t know if it was clear amidst other discussions on this thread:  I 
reported a real-world cert validation error on a Microsoft platform, of 
Gpg4win 5 beta.  The latest gpg4win-beta package (369) was published 
2025-09-05, two months after cert expiry — thus, **the Authenticode 
timestamp does not help.**  Prior discussion of the Authenticode 
timestamp, which I hope was not misplaced in topic drift:

https://lists.gnupg.org/pipermail/gnupg-users/2025-October/067899.html
(I messed up my PGP authentication on the metadata of that post, whoops!  
msg sig ok.  Did anyone notice?)

IMO, a bad Authenticode signature which *actually* fails validation with 
error on Microsoft OS is a bug in beta-369.  Well, beta means to shake 
out bugs!  I respectfully suggest these fixes:

1. A gpg4win-5-beta version bump, with a valid Authenticode sig on new 
binary packages (and any other recent beta bugfixes).

2. Review gpg4win release engineering procedure to add guardrail check 
for invalid Authenticode sig.  To protect non-beta releases, too, 
automated regression test should catch the *bad signature* that causes 
Microsoft platform error on (AFAIK) the gpg4win-5.0.0-beta369.exe 
binary.  Security software should not have any security failures of 
software supply chain integrity checks.

I’m sorry, I cannot contribute any patch.  I can’t even check the 
Authenticode sig myself.  I don’t have any Authenticode stuff on my 
machine.  I do not use Gpg4win!  A Microsoft user told me of in-the-wild 
failure on a Microsoft platform; I pieced together the rest of the 
puzzle.

I myself can easily verify your PGP dist sig.  But this does not help 
the PGP-newbie Microsoft user, with whom I am communicating 
remotely/anonymously from my never-Microsoft platform.  My machine says:

>impurify at sex:~/dl/gpg4win$ gpg --verify gpg4win-5.0.0-beta369.exe.sig gpg4win-5.0.0-beta369.exe
>gpg: Signature made Fri Sep  5 12:08:09 2025 UTC
>gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
>gpg: Good signature from "Werner Koch (dist signing 2020)"
>Primary key fingerprint: 6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA

(I will try to hold topic-drift replies in abeyance until this primary 
issue is adequately addressed.)

Always,

have at anonymous.sex

-- 
A makeshift way to distribute my current PQ-PGP key:
https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250107/4732a382/attachment.key
01A6D81EEAD7EEEC393DEC1401F4894C154E1B8EE32E9059CA5566792A836823
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 297 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251017/6c799d5c/attachment.sig>

More information about the Gnupg-users mailing list