[Gpg4win-users-en] Problems with Gpg4Win Verification Operations (and a couple of apparent bugs)

Juan Miguel Navarro Martínez juanmi.3000 at gmail.com
Fri May 29 05:08:16 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

L:
> 1) The Gpg4Win GUI is faulty, and a cause of much trouble. It 
> cannot be used in verification to gain the data available with the
>  command line, though the key (asc) importation will provide 
> immediate access to ID, fingerprint, and RSAs.
> 

That's why I went the CLI way.

> 2) The Gpg4Win GUI cannot produce sha256sums: an alternative 
> application is required. (For this I used RapidCRCUnicode, in its 
> Portable Apps form.)

Gpg4Win can produce sha256sums, just with those limitations exposed.
Also, it may not be a Gpg4Win issue but a Kleopatra issue, and if it
is a Kleopatra issue then here is not where you can report bugs about it
.

If it's Gnupg related:
http://www.gnupg.org/documentation/bts.html

If it's Kleopatra related:
http://bugs.kde.org/component-report.cgi?product=kleopatra

If it's Claws Mails related:
http://www.thewildbeast.co.uk/claws-mail/bugzilla/index.cgi

Everything else:
http://wald.intevation.org/tracker/?atid=126&group_id=11&func=browse

> 3) Online command lists for Gnu command line are also misleading. 
> Do not run gpg.exe, and precede commands by two hyphens not one. 
> The only two commands really required are import and verify: "gpg 
> --import [path, key (ie. asc) file)]" and "gpg --verify [path, sig
>  file] [path, data file]", along with trusting and signing. Include
>  full paths to asc, sig and data files. External locations appear
> to be unworkable (I lack much experience in command line to explain
>  why, but perhaps this is a command line limitation).

The data is well explained at www.gnupg.org manuals, it's always been
two hyphens except for the short versions as in:

- -e, --encrypt
- -s, --sign
- -b, --detach-sign
- -c, --symmetric
- -d, --decrypt
- -k, --list-keys
- -K, --list-secret-keys

Important ones that doesn't:

- --clearsign
- --verify
- --edit-key
- --delete-key
- --delete-secret-key

> 5) "Completely Trusting" the key will not have it appear in the 
> Trusted keys field (a bug or misdescription).
As trusting in Kleopatra means certificating (aka signing) another
key, then it's correct that it won't be appear if you gpg --edit-key
KEYID; trust; 5.

Also the fact that you need your master key for signing others.
It should still be forwarded to Kleopatra's team, if it's the same on
the original version.

> 6) If the sig and iso are verified using the GUI after key 
> importation, this will produce only the Tails subkey fingerprint 
> (BA2C222F44AC00ED9899389398FEC6BC752A3DB6: the one that was located
> on a Debian list, but fails to be mentioned on the Tails site).
> 

I would say it should need to give the EXACT information given on the
CLI. So:

gpg: Good signature from "Tails developers (offline long-term identity
key) <tails at boum.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: A490 D0F4 D311 A415 3E2B  B7CA DBB8 02B2 58AC
D84F
     Subkey fingerprint: BA2C 222F 44AC 00ED 9899  3893 98FE C6BC 752A
3DB6

This should be forwarded to Kleopatra's team if it happens the same in
the Linux version.

> 7) If the key (asc file) is imported using the command line, it 
> will show origin and key ID (Tails Developers, 58ACD84F).
> 
Unless I'm wrong it does, and you can also use "gpg public.key" [o
public.gpg, o public.asc] and it will say what key is it.

> 8) If the sig and iso are verified using the command line without 
> initial key importation, they will show part of the RSAs, seen in 
> the subkey fingerprint (752A3DB6).
It already does:

C:\Users\Juanmi>gpg --verify .\Documents\ISOs\tails-i386-1.4.iso.sig
.\Documents\ISOs\tails-i386-1.4.iso
gpg: NOTE: --use-agent is not available in this version
gpg: Signature made 05/11/15 19:56:27
gpg:                using RSA key 0x98FEC6BC752A3DB6
gpg: Can't check signature: public key not found

> 9) If the sig and iso are verified after key (asc) importation, 
> they will show "Good signature", and the origin (Tails Developers),
> and both primary and subkey fingerprints (A490 D0F4 D311 A415 3E2B
> B7CA DBB8 02B2 58AC D84F and BA2C 222F 44AC 00ED 9899 3893 98FE
> C6BC 752A 3DB6).
> 

Already does in CLI, just not in Kleopatra.

- -- 
Juan Miguel Navarro Martínez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJVZ9gbAAoJEELfPuRPJIB7C1kH/Aq4ndg742aS8yS+6+vKPN7t
eS1cB5jXAGvmkZG0UF+rlicZJ9nlKiWcVQOF+d24qglIO0h0Dahrtztka9Ei2SBB
Jdj89vsLaE3EM9GLK8Hu+9N3pbW2es7tcTVjg2u0Tyu5Lera7yLZ8YZsgFHEWcYC
qgQnb/XzK84gMyLVe/qmiFE4kcAlkotLQtUBj42VCcP0VpfLiThoHTXP3CzVP2c9
pYqTPO33Ul+1Cgx/JwxnzGIEzrlwSGP5AzqhnCtl+oBtRkK1h+7R3Nl5K3DYHdDU
SJuubNhT44ndHYMXfIcTr0DHYoQgXbnWPRcV+rQTw+P/c+cpo9L7odGSSXFXcSE=
=LSaC
-----END PGP SIGNATURE-----

More information about the Gpg4win-users-en mailing list