<p dir="ltr">I think the main problem here is that "Lsmoke3" didn't understand that he needs to create his own key and use it to create trust in other keys that he has downloaded from the Internet. The other problems with sha256 and command-line are just the backup plans that didn't work either. If there is a bug at all it might be with sha256 I've never tried it so I don't know, but I don't think the command-line or setting the trust level of keys aren't bugs at all, just user errors from a beginner.</p>
<p dir="ltr">Lsmoke3, you really only need to use the gui kleopatra and never need to use the command line for verifying a download. But you also need to create or import your own gpg keys to set trust in other keys you download from the Internet or get from friends.</p>
<p dir="ltr">Gpg4win/gnupg doesn't make it very easy for beginners as they have created a WOT system that doesn't create much trust at all but instead registers people's connections to each other for all eternity on the web, and have added a feature where you have to sign the trust level of downloaded keys with your own key, making it difficult for beginners. So it's not very user friendly and that's the problem, it's not a bug to have a difficult environment to use it's just not as user friendly as people expect a software to be. Especially if the only thing they want to do is to very that a download isn't corrupted or comes from the wrong source. That thing could be much easier, and it was easier before. It's the new "features" that are causing the problems in this case I think together with a user who doesn't want to spend hours learning how to verify a download through Gpg4win.</p>
<p dir="ltr">So removing some unnecessary features or making them optional/removable in the installation and later in the settings would be a good thing for beginners when using gpg4win. And later if people really want to use their own keys to set a trust level of a key they just downloaded from the same website they downloaded the iso-file from, then fine let them add that feature later.</p>
<p dir="ltr">But honestly, if the website is hacked/replaced the hackers/ISP/Country probably will have changed both the public key, signature file and the iso file so that people downloading both would just create trust in the fake gpg public key anyway. But that's a whole other problem which gpg can't solve as there's no verified database of public keys, so the hacker/ISP/country can just change both the iso file, pgp signature file and the key who created it all at once. So that's a more difficult problem to solve.</p>
<div class="gmail_quote">Den 24 maj 2015 17:45 skrev "Juan Miguel Navarro MartÃnez" <<a href="mailto:juanmi.3000@gmail.com">juanmi.3000@gmail.com</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Daniel Kahn Gillmor:<br>
> b) kleopatra can't generate or verify sha256 digests:<br>
><br>
>> L:<br>
>>> Additionally, Gpg4Win proved unable to generate or verify<br>
>>> sha256sum hashes (technically a textfile output anyway),<br>
>>> repeatedly producing an error citing an inability to name the<br>
>>> output file; I ultimately turned to another application for<br>
>>> Unicode verification.<br>
>><br>
>> Kleopatra's sha256 checksum is either bugged or very strict. I<br>
>> could conclude that you can't create checksum files from a file<br>
>> or files which exceeds in total around 2.3 GiB of size and<br>
>> bigger. And you can't verify checksums from a file which is not<br>
>> named sha256sum.txt and the contents of the files aren't like:<br>
><br>
> to be honest, i can only get kleopatra to produce sha1 checksums,<br>
> and when i try to get kleopatra to verify a sha1 checksum, it's<br>
> very clear to me as a user what is happening, or what was actually<br>
> verified.<br>
><br>
<br>
You can select between md5sum, sha1sum or sha256sum in Settings ><br>
Configure Kleopatra > Crypto Operations > File Operations.<br>
<br>
## Creating a checksum file issue ##<br>
If I try to make a sha256sum file of Linuxmint 17.1 ISO file[1] or<br>
from multiple files of 2.01 GiB in total size [2], I can both create<br>
the file and both verify correctly. [4][5]<br>
<br>
It is when I use a big file, in this example FreeBSD 10.1 64-bit ISO<br>
(2,40 GiB) [6] or if I add another file in the bulk operation one<br>
(added Tails ISO in this case)[7] when I get this exact error everytime:<br>
<br>
"Failed to move file C:/Users/Juanmi/Documents/ISOs/sha256sum.txt to<br>
its final destination, sha256sum.txt: Error during rename."<br>
<br>
## Verifying issue ##<br>
As you saw before [1][4], the verification works but if you change the<br>
checksums file name to something different you get this error:<br>
<br>
"Cannot find checksums file for file<br>
C:\Users\Juanmi\Documents\ISOs\linuxmint-17.1-cinnamon-32bit.iso.sha256"<br>
<br>
It gives a different one if you rename it to md5sum.txt or<br>
sha1sum.txt, as if it's expecting md5 and sha1 checksums instead of<br>
analyzing its contents and determine what kind of checksum is it:<br>
<br>
"Error while running C:/Program Files (x86)/GNU/GnuPG/sha1sum.exe:<br>
sha1sum: error parsing `C:/Users/Juanmi/Documents/ISOs/sha1sum.txt':<br>
invalid line"<br>
<br>
[1]: <a href="https://img.bi/#/pYpuENn!aFlNIA-oEisQAiudUQBqn7YAWfQzoQ_XDRUA-LnT" target="_blank">https://img.bi/#/pYpuENn!aFlNIA-oEisQAiudUQBqn7YAWfQzoQ_XDRUA-LnT</a><br>
[2]: <a href="https://img.bi/#/927gE9N!Y4qEJgp7oMVgA06nRQQHTZdwUN72ngrcFkTwrnQM" target="_blank">https://img.bi/#/927gE9N!Y4qEJgp7oMVgA06nRQQHTZdwUN72ngrcFkTwrnQM</a><br>
[3]: <a href="https://img.bi/#/p4Ft9ed!xdSDbQAn5qNAkk5CRgeWJ1kAaJ2UfAq5v47wQ4nQ" target="_blank">https://img.bi/#/p4Ft9ed!xdSDbQAn5qNAkk5CRgeWJ1kAaJ2UfAq5v47wQ4nQ</a><br>
[4]: <a href="https://img.bi/#/Dnz4awQ!nuwlFQ7xzrHQq_B83wiIeoRQMjwwfwlAD4fQa8vH" target="_blank">https://img.bi/#/Dnz4awQ!nuwlFQ7xzrHQq_B83wiIeoRQMjwwfwlAD4fQa8vH</a><br>
[5]: <a href="https://img.bi/#/qB3pPOF!W2T9MwZgXR0Ai3plGAc5h9rQe6nAZQl_JuogwuWS" target="_blank">https://img.bi/#/qB3pPOF!W2T9MwZgXR0Ai3plGAc5h9rQe6nAZQl_JuogwuWS</a><br>
[6]: <a href="https://img.bi/#/z0BRTFA!dm5acAqZffVgrAffNgqiBzrAM07AYQiglgNAUqzY" target="_blank">https://img.bi/#/z0BRTFA!dm5acAqZffVgrAffNgqiBzrAM07AYQiglgNAUqzY</a><br>
[7]: <a href="https://img.bi/#/de8nTc2!6e7QQQPevjuga8u-WQutjOZQNmUi7gnLOrBQwonp" target="_blank">https://img.bi/#/de8nTc2!6e7QQQPevjuga8u-WQutjOZQNmUi7gnLOrBQwonp</a><br>
<br>
- --<br>
Juan Miguel Navarro MartÃnez<br>
<br>
GPG Keyfingerprint:<br>
5A91 90D4 CF27 9D52 D62A<br>
BC58 88E2 947F 9BC6 B3CF<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQEcBAEBCgAGBQJVYfIjAAoJEELfPuRPJIB7aTcIAI2dqZtoeG5/tXUvSH1XZDZ4<br>
99i/JjOWPboIz5yHmB/n/ot9XfS5J5DzpCVu9NN/7NZu4ig30r0rcJKuRAX2mSWT<br>
bdQrYJGqh0chk/3Q2XD9bgZhRv5Vgw/mOWV9LM3Rryf569g64mjKBkgb0jEJTpcI<br>
5m3ojUPpZW5ZPBfzWAF8a6c81WBVv3OtQDXnrabNSfQzIhILUcAYqy+065rjPOv/<br>
iHTdpjewDkZ/S6KZRFy1L3SQm0s95hEsLnMyxUXn6iIbX9vkvIYW5XX1Gv1fpBtj<br>
r85x3c0SBTWZHNClAnZz+GDSPTN0cfGWutJa6rGsTHeWkNVSbdJGxAk2js7vd4g=<br>
=mCtw<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Gpg4win-users-en mailing list<br>
<a href="mailto:Gpg4win-users-en@wald.intevation.org">Gpg4win-users-en@wald.intevation.org</a><br>
<a href="https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en" target="_blank">https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en</a></blockquote></div>