[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

[L]

Reiterating a serious problem with the operation of Gpg4Win, or the
verification of files using Gpg4Win, and

the last time I will try to resolve it. My time is limited and costly too.

Over the last three weeks (!) I have encountered repeat problems in
using and obtaining verification from

Gpg, using the Gpg4Win software, primarily concerning Tor and Tails.
Tor onsite documentation emphasises the command line implementation of
Gpg, with some confusion (it claims Gpg4Win lacks a GUI), and offers
only command line download for the Tor dev key (which I therefore
lacked); Tor was ultimately roughly verifiable from its signature file,
matching the RSAs to those shown in onsite docs.
Tails, on the other hand, has far more serious problems, after several
download attempts (of iso, key, signature file) from more than one
location. The Tails key will import into Kleopatra successfully, and
shows correct signing, fingerprint, RSAs, though an apparent bug in
Gpg4Win prevents it appearing in the Trusted field even when "completely
trusted" (note the apparent miscomprehension in the Tails developer
response reproduced below: the Tails key checks out, and is technically
the ONLY trustworthy item among the three). The signature file yields no
comprehensible result at all. When the signature is right-click verified
by Gpg4Win it yields one of two output strings (shown in the
Gpg4Win/Kleopatra verification screen, again, apparently not understood
in the original response) depending on whether the key has been imported
or not, neither of them identifiable. I have reproduced those here,
italicised, in the original email I sent to a developer.

Additionally, Gpg4Win proved unable to generate or verify sha256sum
hashes (technically a textfile output anyway), repeatedly producing an
error citing an inability to name the output file; I ultimately turned
to another application for Unicode verification.

Finally, I have been unable to operate Gpg via command line, though I
obtained a command line protocol list online. Perhaps I am incorrect,
but I assume Gpg.exe must be activated before input of command and
target file/s. If not, please advise.

----

--Original email--

Hi there, and thanks for your reply.
As it is, I have an insurmountable problem with obtaining a verification
for the application. I have downloaded the iso several times from more
than one location, though due to the comparative slowness, downloading
through Tor has proven impossible (I may try again through a faster
connection if I have to). The iso download checksum verifies fine. The
key imports to Gpg4Win and carries all the verifiable developer data
(team sign, fingerprint, RSAs), and can be "trusted", though it will
fail to appear in the trusted tab (probably due to an Gpg4Win bug). The
iso and signature, on the other hand, produce no comprehensible result:
instead I obtain an unknown signature message with an unidentifiable
string:

/Signed on 2015-03-30 21:10 with unknown certificate 0x98FEC6BC752A3DB6.//
//The signature is invalid: No public certificate to verify the
signature. //
//
//Signed on 2015-03-30 21:10 with unknown certificate
0xBA2C222F44AC00ED9899389398FEC6BC752A3DB6.//
//The validity of the signature cannot be verified./

The first is the result without importation of the key into Kleopatra
first, the second after key importation, but in both cases operating
upon the same iso download and signature file; I have been unable to
identify the string/s given.
So, all I have to verify the iso, after numerous attempts to download
the file, is the checksum pass and the verifiable developer key.
You mentioned the command line protocol for checksumming in Gpg, but
having installed both Gpg4Win and the standalone (ie. command line) Gpg
install, I have been unable to gain any command line operations from Gpg
(I assume you have to activate the exe first, then run commands with
options/arguments, though I have rarely used actual programs in command
prompt other than command prompt tools; I did manage to obtain a full
list of the Gpg command line commands online, but nothing will "do"
anything: even the command line help doesn't work).

I am a bit stumped now, after numerous downloads and attempts to verify,
with increasing understanding, but no guarantees for a security oriented
application.
Any suggestions?

----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20150523/97b41bd6/attachment.html>