[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

David Kronlid david at kronlid.net
Sun May 24 23:47:26 CEST 2015 

I think the main problem here is that "Lsmoke3" didn't understand that he
needs to create his own key and use it to create trust in other keys that
he has downloaded from the Internet. The other problems with sha256 and
command-line are just the backup plans that didn't work either. If there is
a bug at all it might be with sha256 I've never tried it so I don't know,
but I don't think the command-line or setting the trust level of keys
aren't bugs at all, just user errors from a beginner.

Lsmoke3, you really only need to use the gui kleopatra and never need to
use the command line for verifying a download. But you also need to create
or import your own gpg keys to set trust in other keys you download from
the Internet or get from friends.

Gpg4win/gnupg doesn't make it very easy for beginners as they have created
a WOT system that doesn't create much trust at all but instead registers
people's connections to each other for all eternity on the web, and have
added a feature where you have to sign the trust level of downloaded keys
with your own key, making it difficult for beginners. So it's not very user
friendly and that's the problem, it's not a bug to have a difficult
environment to use it's just not as user friendly as people expect a
software to be. Especially if the only thing they want to do is to very
that a download isn't corrupted or comes from the wrong source. That thing
could be much easier, and it was easier before. It's the new "features"
that are causing the problems in this case I think together with a user who
doesn't want to spend hours learning how to verify a download through
Gpg4win.

So removing some unnecessary features or making them optional/removable in
the installation and later in the settings would be a good thing for
beginners when using gpg4win. And later if people really want to use their
own keys to set a trust level of a key they just downloaded from the same
website they downloaded the iso-file from, then fine let them add that
feature later.

But honestly, if the website is hacked/replaced the hackers/ISP/Country
probably will have changed both the public key, signature file and the iso
file so that people downloading both would just create trust in the fake
gpg public key anyway. But that's a whole other problem which gpg can't
solve as there's no verified database of public keys, so the
hacker/ISP/country can just change both the iso file, pgp signature file
and the key who created it all at once. So that's a more difficult problem
to solve.
Den 24 maj 2015 17:45 skrev "Juan Miguel Navarro Martínez" <
juanmi.3000 at gmail.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Daniel Kahn Gillmor:
> > b) kleopatra can't generate or verify sha256 digests:
> >
> >> L:
> >>> Additionally, Gpg4Win proved unable to generate or verify
> >>> sha256sum hashes (technically a textfile output anyway),
> >>> repeatedly producing an error citing an inability to name the
> >>> output file; I ultimately turned to another application for
> >>> Unicode verification.
> >>
> >> Kleopatra's sha256 checksum is either bugged or very strict. I
> >> could conclude that you can't create checksum files from a file
> >> or files which exceeds in total around 2.3 GiB of size and
> >> bigger. And you can't verify checksums from a file which is not
> >> named sha256sum.txt and the contents of the files aren't like:
> >
> > to be honest, i can only get kleopatra to produce sha1 checksums,
> > and when i try to get kleopatra to verify a sha1 checksum, it's
> > very clear to me as a user what is happening, or what was actually
> > verified.
> >
>
> You can select between md5sum, sha1sum or sha256sum in Settings >
> Configure Kleopatra > Crypto Operations > File Operations.
>
> ## Creating a checksum file issue ##
> If I try to make a sha256sum file of Linuxmint 17.1 ISO file[1] or
> from multiple files of 2.01 GiB in total size [2], I can both create
> the file and both verify correctly. [4][5]
>
> It is when I use a big file, in this example FreeBSD 10.1 64-bit ISO
> (2,40 GiB) [6] or if I add another file in the bulk operation one
> (added Tails ISO in this case)[7] when I get this exact error everytime:
>
> "Failed to move file C:/Users/Juanmi/Documents/ISOs/sha256sum.txt to
> its final destination, sha256sum.txt: Error during rename."
>
> ## Verifying issue ##
> As you saw before [1][4], the verification works but if you change the
> checksums file name to something different you get this error:
>
> "Cannot find checksums file for file
> C:\Users\Juanmi\Documents\ISOs\linuxmint-17.1-cinnamon-32bit.iso.sha256"
>
> It gives a different one if you rename it to md5sum.txt or
> sha1sum.txt, as if it's expecting md5 and sha1 checksums instead of
> analyzing its contents and determine what kind of checksum is it:
>
> "Error while running C:/Program Files (x86)/GNU/GnuPG/sha1sum.exe:
> sha1sum: error parsing `C:/Users/Juanmi/Documents/ISOs/sha1sum.txt':
> invalid line"
>
> [1]: https://img.bi/#/pYpuENn!aFlNIA-oEisQAiudUQBqn7YAWfQzoQ_XDRUA-LnT
> [2]: https://img.bi/#/927gE9N!Y4qEJgp7oMVgA06nRQQHTZdwUN72ngrcFkTwrnQM
> [3]: https://img.bi/#/p4Ft9ed!xdSDbQAn5qNAkk5CRgeWJ1kAaJ2UfAq5v47wQ4nQ
> [4]: https://img.bi/#/Dnz4awQ!nuwlFQ7xzrHQq_B83wiIeoRQMjwwfwlAD4fQa8vH
> [5]: https://img.bi/#/qB3pPOF!W2T9MwZgXR0Ai3plGAc5h9rQe6nAZQl_JuogwuWS
> [6]: https://img.bi/#/z0BRTFA!dm5acAqZffVgrAffNgqiBzrAM07AYQiglgNAUqzY
> [7]: https://img.bi/#/de8nTc2!6e7QQQPevjuga8u-WQutjOZQNmUi7gnLOrBQwonp
>
> - --
> Juan Miguel Navarro Martínez
>
> GPG Keyfingerprint:
> 5A91 90D4 CF27 9D52 D62A
> BC58 88E2 947F 9BC6 B3CF
>
> -----BEGIN PGP SIGNATURE-----
>
> iQEcBAEBCgAGBQJVYfIjAAoJEELfPuRPJIB7aTcIAI2dqZtoeG5/tXUvSH1XZDZ4
> 99i/JjOWPboIz5yHmB/n/ot9XfS5J5DzpCVu9NN/7NZu4ig30r0rcJKuRAX2mSWT
> bdQrYJGqh0chk/3Q2XD9bgZhRv5Vgw/mOWV9LM3Rryf569g64mjKBkgb0jEJTpcI
> 5m3ojUPpZW5ZPBfzWAF8a6c81WBVv3OtQDXnrabNSfQzIhILUcAYqy+065rjPOv/
> iHTdpjewDkZ/S6KZRFy1L3SQm0s95hEsLnMyxUXn6iIbX9vkvIYW5XX1Gv1fpBtj
> r85x3c0SBTWZHNClAnZz+GDSPTN0cfGWutJa6rGsTHeWkNVSbdJGxAk2js7vd4g=
> =mCtw
> -----END PGP SIGNATURE-----
> _______________________________________________
> Gpg4win-users-en mailing list
> Gpg4win-users-en at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20150524/4a723437/attachment.html>

More information about the Gpg4win-users-en mailing list