[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

L LSmok3 at riseup.net
Tue May 26 04:24:40 CEST 2015 

Thanks for various replies.
As far as I can see:

1) The checksum issue, limited to 256sums, is a file size issue; as I
said, I got around this by using a different app, but it would
constitute a major limitation or bug.

2) I will try the command line as you have suggested, running "gpg -v".

3) I will also try trusting the Tails key using my own key; still,
Gpg4Win does offer the ability to " completely trust" a key without
using your own, and even when this is the case, the key fails to appear
in Kleopatra's trusted field, also an apparent bug. If the trusted field
only admits keys when signed with your own, this should be made clear.

4) This still fails to account for the unidentified string (short and
post-key-imported long), unmatched to anything on the Tails site, the
real issue. Can anyone account for this string
(/0xBA2C222F44AC00ED9899389398FEC6BC752A3DB6)?
/
Cheers

On 25/05/2015 00:39, David Kronlid wrote:
>
> LSmok3, I just realized that your email address wasn't included any
longer in the discussion on the mailing list, so in case you aren't
subscribing to the list i resend my email with you as a recipient too.
> /David
>
> Den 24 maj 2015 23:47 skrev "David Kronlid" <david at kronlid.net
<mailto:david at kronlid.net>>:
> >
> > I think the main problem here is that "Lsmoke3" didn't understand
that he needs to create his own key and use it to create trust in other
keys that he has downloaded from the Internet. The other problems with
sha256 and command-line are just the backup plans that didn't work
either. If there is a bug at all it might be with sha256 I've never
tried it so I don't know, but I don't think the command-line or setting
the trust level of keys aren't bugs at all, just user errors from a
beginner.
> >
> > Lsmoke3, you really only need to use the gui kleopatra and never
need to use the command line for verifying a download. But you also need
to create or import your own gpg keys to set trust in other keys you
download from the Internet or get from friends.
> >
> > Gpg4win/gnupg doesn't make it very easy for beginners as they have
created a WOT system that doesn't create much trust at all but instead
registers people's connections to each other for all eternity on the
web, and have added a feature where you have to sign the trust level of
downloaded keys with your own key, making it difficult for beginners. So
it's not very user friendly and that's the problem, it's not a bug to
have a difficult environment to use it's just not as user friendly as
people expect a software to be. Especially if the only thing they want
to do is to very that a download isn't corrupted or comes from the wrong
source. That thing could be much easier, and it was easier before. It's
the new "features" that are causing the problems in this case I think
together with a user who doesn't want to spend hours learning how to
verify a download through Gpg4win.
> >
> > So removing some unnecessary features or making them
optional/removable in the installation and later in the settings would
be a good thing for beginners when using gpg4win. And later if people
really want to use their own keys to set a trust level of a key they
just downloaded from the same website they downloaded the iso-file from,
then fine let them add that feature later.
> >
> > But honestly, if the website is hacked/replaced the
hackers/ISP/Country probably will have changed both the public key,
signature file and the iso file so that people downloading both would
just create trust in the fake gpg public key anyway. But that's a whole
other problem which gpg can't solve as there's no verified database of
public keys, so the hacker/ISP/country can just change both the iso
file, pgp signature file and the key who created it all at once. So
that's a more difficult problem to solve.
> >
> > Den 24 maj 2015 17:45 skrev "Juan Miguel Navarro Martínez"
<juanmi.3000 at gmail.com <mailto:juanmi.3000 at gmail.com>>:
> >>
> Daniel Kahn Gillmor:
> > b) kleopatra can't generate or verify sha256 digests:
>
> >> L:
> >>> Additionally, Gpg4Win proved unable to generate or verify
> >>> sha256sum hashes (technically a textfile output anyway),
> >>> repeatedly producing an error citing an inability to name the
> >>> output file; I ultimately turned to another application for
> >>> Unicode verification.
> >>
> >> Kleopatra's sha256 checksum is either bugged or very strict. I
> >> could conclude that you can't create checksum files from a file
> >> or files which exceeds in total around 2.3 GiB of size and
> >> bigger. And you can't verify checksums from a file which is not
> >> named sha256sum.txt and the contents of the files aren't like:
>
> > to be honest, i can only get kleopatra to produce sha1 checksums,
> > and when i try to get kleopatra to verify a sha1 checksum, it's
> > very clear to me as a user what is happening, or what was actually
> > verified.
>
>
> You can select between md5sum, sha1sum or sha256sum in Settings >
> Configure Kleopatra > Crypto Operations > File Operations.
>
> ## Creating a checksum file issue ##
> If I try to make a sha256sum file of Linuxmint 17.1 ISO file[1] or
> from multiple files of 2.01 GiB in total size [2], I can both create
> the file and both verify correctly. [4][5]
>
> It is when I use a big file, in this example FreeBSD 10.1 64-bit ISO
> (2,40 GiB) [6] or if I add another file in the bulk operation one
> (added Tails ISO in this case)[7] when I get this exact error everytime:
>
> "Failed to move file C:/Users/Juanmi/Documents/ISOs/sha256sum.txt to
> its final destination, sha256sum.txt: Error during rename."
>
> ## Verifying issue ##
> As you saw before [1][4], the verification works but if you change the
> checksums file name to something different you get this error:
>
> "Cannot find checksums file for file
> C:\Users\Juanmi\Documents\ISOs\linuxmint-17.1-cinnamon-32bit.iso.sha256"
>
> It gives a different one if you rename it to md5sum.txt or
> sha1sum.txt, as if it's expecting md5 and sha1 checksums instead of
> analyzing its contents and determine what kind of checksum is it:
>
> "Error while running C:/Program Files (x86)/GNU/GnuPG/sha1sum.exe:
> sha1sum: error parsing `C:/Users/Juanmi/Documents/ISOs/sha1sum.txt':
> invalid line"
>
> [1]: https://img.bi/#/pYpuENn!aFlNIA-oEisQAiudUQBqn7YAWfQzoQ_XDRUA-LnT
> [2]: https://img.bi/#/927gE9N!Y4qEJgp7oMVgA06nRQQHTZdwUN72ngrcFkTwrnQM
> [3]: https://img.bi/#/p4Ft9ed!xdSDbQAn5qNAkk5CRgeWJ1kAaJ2UfAq5v47wQ4nQ
> [4]: https://img.bi/#/Dnz4awQ!nuwlFQ7xzrHQq_B83wiIeoRQMjwwfwlAD4fQa8vH
> [5]: https://img.bi/#/qB3pPOF!W2T9MwZgXR0Ai3plGAc5h9rQe6nAZQl_JuogwuWS
> [6]: https://img.bi/#/z0BRTFA!dm5acAqZffVgrAffNgqiBzrAM07AYQiglgNAUqzY
> [7]: https://img.bi/#/de8nTc2!6e7QQQPevjuga8u-WQutjOZQNmUi7gnLOrBQwonp
>
> >> _______________________________________________
> >> Gpg4win-users-en mailing list
> >> Gpg4win-users-en at wald.intevation.org
<mailto:Gpg4win-users-en at wald.intevation.org>
> >>
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20150526/c5686e51/attachment.html>

More information about the Gpg4win-users-en mailing list