[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun May 24 16:00:42 CEST 2015 

It sounds to me like there may be three distinct bugs here.  I'm going
to try to separate them, in the hopes that this will help people to
discuss them distinctly.  Maybe once we understand their scope better,
someone can file them as distinct bugs in the relevant upstream
bugtracker.

a) kleopatra's message for the "good signature from unverified key"
   message is confusing/misleading, at least in english:

On Sat 2015-05-23 18:18:46 -0400, Juan Miguel Navarro Martínez wrote:
> The second one, the one that says:
>> Signed on 2015-03-30 21:10 with unknown certificate
>> 0xBA2C222F44AC00ED9899389398FEC6BC752A3DB6. The validity of the
>> signature cannot be verified.
>
> That's Kleopatra way of telling you "The signature is GOOD, you
> haven't verified that it came from the real person though." Yeah, a
> bit misleading for Kleopatra part.
>
> If you do in command line:
>
>   gpg --verify tails-i386-1.X.X.iso.sig tails-i386-1.X.X
>
> It should say "GOOD signature" with a warning telling you that it was
> not verified.


b) kleopatra can't generate or verify sha256 digests:

> L:
>> Additionally, Gpg4Win proved unable to generate or verify
>> sha256sum hashes (technically a textfile output anyway), repeatedly
>> producing an error citing an inability to name the output file; I
>> ultimately turned to another application for Unicode verification.
>
> Kleopatra's sha256 checksum is either bugged or very strict.
> I could conclude that you can't create checksum files from a file or
> files which exceeds in total around 2.3 GiB of size and bigger.
> And you can't verify checksums from a file which is not named
> sha256sum.txt and the contents of the files aren't like:

   to be honest, i can only get kleopatra to produce sha1 checksums, and
   when i try to get kleopatra to verify a sha1 checksum, it's very
   clear to me as a user what is happening, or what was actually
   verified.


c) L can't seem to use gpg from the command line.  L, you should provide
   a terminal transcript (a copy/paste from the cmd.exe tool on windows)
   that shows specifically what you tried, and what the output was.  See
   https://support.mayfirst.org/wiki/terminal_transcripts for general
   advice about supplying useful terminal transcripts if you want other
   people to be able to help you fix the problem.


hth,

        --dkg

More information about the Gpg4win-users-en mailing list