gpg4win expired code signing cert; please renew.

Ingo Klöcker kloecker at kde.org
Fri Oct 17 22:06:52 CEST 2025 

On Freitag, 17. Oktober 2025 12:32:51 Mitteleuropäische Sommerzeit Werner Koch 
via Gnupg-users wrote:
> On Fri, 17 Oct 2025 09:19, have--- said:
> > I reported a real-world cert validation error on a Microsoft platform,
> > of Gpg4win 5 beta.  The latest gpg4win-beta package (369) was
> > published 2025-09-05, two months after cert expiry — thus, **the
> 
> Nope.  Your system is not up to date or something else is wrong at your
> site.  Here is the result on a freshly installed Windows 11 box:

In their original message the OP mentions that the latest gpg4win code signing 
certificate published at
https://gpg4win.org/package-integrity.html
has expired. That's correct. Werner should update the list of gpg4win code 
signing certificates on that page.

What's incorrect is the OP's claim that the *current* gpg4win code signing 
certificate has expired. Werner has demonstrated that the latest Gpg4win beta 
release has been signed with a new valid code signing certificate.

Obviously, the OP didn't check the code signing certificate that was used to 
sign the Gpg4win 5.0.0-beta369 release, but they blindly believed that
https://gpg4win.org/package-integrity.html
wasn't outdated and that Werner somehow managed to use an expired certificate 
for an Authenticode signature. I'm hard-pressed to believe that using an 
expired certificate for creating an Authenticode signature is even possible.

By the way, one doesn't need Microsoft's OS for checking the signature. Using 
Linux it's pretty simple to check the certificate that was used. First we 
extract the signature:
```
$ osslsigncode extract-signature -pem -in gpg4win-5.0.0-beta369.exe \
-out gpg4win-5.0.0-beta369.exe.pem
PE checksum   : 028F186B
Succeeded
```

And then we use openssl to list the certificates:
```
$ openssl pkcs7 -in gpg4win-5.0.0-beta369.exe.pem -print_certs -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            27:1d:f9:34:50:4f:8e:38:3b:33:bc:e5
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R45 CodeSigning CA 
2020
        Validity
            Not Before: Jun  5 12:43:59 2025 GMT
            Not After : Jun  5 12:43:59 2028 GMT
        Subject: C=DE, ST=Nordrhein-Westfalen, L=Erkrath, O=g10 Code GmbH, 
CN=g10 Code GmbH/emailAddress=code at g10code.com
[...]
```

If I had bothered to track down and download the root CA certificate I could 
have even verified the signature with osslsigncode. I leave this as exercise 
for Mr. have. Maybe this will teach them not to make false claims about 
expired signatures while at the same time telling everybody that they should 
"use PQC *yesterday*".

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251017/22c4ebc2/attachment.sig>

More information about the Gnupg-users mailing list