[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

Juan Miguel Navarro Martínez juanmi.3000 at gmail.com
Sun May 24 00:18:46 CEST 2015

Hash: SHA512

> Finally, I have been unable to operate Gpg via command line, though
> I obtained a command line protocol list online. Perhaps I am
> incorrect, but I assume Gpg.exe must be activated before input of
> command and target file/s. If not, please advise.

I'm going to answer this first as you will need to make GnuPG work on
CMD for some commands below.

Open cmd.exe, type gpg -v or gpg2 -v.

Did it work? If not, right-click "(My) Computer" -> Properties ->
System Advanced Settings on the left panel -> Advanced Options tab ->
Environment Variable. On Systen variables, look for Path and click edit.

(You may want to copy paste the string in "Variable value" into
Notepad and hit enter after each semicolon.)

Look for any GnupG path in PATH environment variable and if so add the
path to GnuPG folder before that one, by default C:\Program Files
(x86)\GNU\GnuPG. If there's none, just add it at the end. Keep every
other path as it is.

(If you copy-pasted all into Notepad, turn it into one line again and
copy into Variable value, replacing what it was before)

If it did work, then you should be able to do every gpg command as it
should on GNU/Linux.

> Tails, on the other hand, has far more serious problems, after
> several download attempts (of iso, key, signature file) from more
> than one location. The Tails key will import into Kleopatra
> successfully, and shows correct signing, fingerprint, RSAs, though
> an apparent bug in Gpg4Win prevents it appearing in the Trusted
> field even when "completely trusted" (note the apparent
> miscomprehension in the Tails developer response reproduced below:
> the Tails key checks out, and is technically the ONLY trustworthy
> item among the three).
I tried to see if I could reproduce that problem on Kleopatra, and I
could. I though it was a bug in Kleopatra, but then I tried doing that
on command-line:

> C:\Users\Juanmi>gpg2 --lsign-key "Tails developers (offline"
> pub  4096R/0xDBB802B258ACD84F  created: 2015-01-18  expires:
> 2016-01-11  usage: C trust: full          validity: unknown sub
> 4096R/0x98FEC6BC752A3DB6  created: 2015-01-18  expires: 2016-01-11
> usage: S sub  4096R/0x3C83DCB52F699C56  created: 2015-01-18
> expires: 2016-01-11  usage: S [ unknown] (1). Tails developers
> (offline long-term identity key) <tails at boum.org>
> pub  4096R/0xDBB802B258ACD84F  created: 2015-01-18  expires:
> 2016-01-11  usage: C trust: full          validity: unknown Primary
> key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC
> D84F
> Tails developers (offline long-term identity key) <tails at boum.org>
> This key is due to expire on 2016-01-11. Are you sure that you want
> to sign this key with your key "Juan Miguel Navarro Martínez
> <juanmi_3000 at hotmail.com>" (0x88E2947F9BC6B3CF)
> The signature will be marked as non-exportable.
> Really sign? (y/N) y gpg: secret key parts are not available gpg:
> signing failed: Unusable secret key
> Key not changed so no update needed.

My problem was that I didn't have my secret key (it is offline so I
would have to import it back and it should work.) So the question here
is, did you create a pair of GPG keys or did you try to trust it
without them?

If you did create a pair of GPG keys, you should use the command I did

  gpg --list-sigs "Tails developers (offline"

And see if your key ID is there, if it's not try

  gpg --lsign-key "tails developers (offline"

> The signature file yields no comprehensible result at all. When
> the signature is right-click verified by Gpg4Win it yields one of
> two output strings (shown in the Gpg4Win/Kleopatra verification
> screen, again, apparently not understood in the original response)
> depending on whether the key has been imported or not, neither of
> them identifiable. I have reproduced those here, italicised, in the
> original email I sent to a developer.
I've seen the original email you inserted.

The second one, the one that says:
> Signed on 2015-03-30 21:10 with unknown certificate
> 0xBA2C222F44AC00ED9899389398FEC6BC752A3DB6. The validity of the
> signature cannot be verified.

That's Kleopatra way of telling you "The signature is GOOD, you
haven't verified that it came from the real person though." Yeah, a
bit misleading for Kleopatra part.

If you do in command line:

  gpg --verify tails-i386-1.X.X.iso.sig tails-i386-1.X.X

It should say "GOOD signature" with a warning telling you that it was
not verified.

> Additionally, Gpg4Win proved unable to generate or verify
> sha256sum hashes (technically a textfile output anyway), repeatedly
> producing an error citing an inability to name the output file; I
> ultimately turned to another application for Unicode verification.

Kleopatra's sha256 checksum is either bugged or very strict.
I could conclude that you can't create checksum files from a file or
files which exceeds in total around 2.3 GiB of size and bigger.
And you can't verify checksums from a file which is not named
sha256sum.txt and the contents of the files aren't like:

Checksum String(Two blank spaces)[Path/to/]file_name

...... yes.... not sure if a problem of Kleopatra or GPG4Win's
Kleopatra port.

- -- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF


More information about the Gpg4win-users-en mailing list