[Gpg4win-users-en] Get pubkeys to check OpenPGP sig on Gpg4win installer (Re: Gpg4win 4.1.0 released)

Bernhard Reiter bernhard at intevation.de
Wed Dec 21 15:17:29 CET 2022

Hi Bowie,

Am Mittwoch 21 Dezember 2022 03:47:34 schrieb Bowie Frisch:
> I have just downloaded both gpg4win-4.1.0.exe and gpg4win-4.1.0.exe.sig and
> found out that a new key had been used to sign the Windows executable?
> H:\Gpg4win>gpg -v gpg4win-4.1.0.exe.sig

> gpg: Signature made 20-Dec-22 18:34:38 W. Australia Standard Time
> gpg:                using ECDSA key
> 02F38DFF731FF97CB039A1DA549E695E905BA208 gpg: Can't check signature: No
> public key

to get the current pubkeys (or read about verification) see

"Since 2021 the signatures are created by one of the official GnuPG release 
keys (aka certificates) they can be obtained from the GnuPG Homepage or 
downloaded from public keyservers. "

-> https://gnupg.org/signature_key.html
pub   brainpoolP256r1 2021-10-15 [SC] [expires: 2029-12-31]
      02F3 8DFF 731F F97C B039  A1DA 549E 695E 905B A208
uid   GnuPG.com (Release Signing Key 2021)

> I did refresh the keys by typing the following command in an elevated
> command prompt: C:\Program Files (x86)\GnuPG\bin\gpg.exe --refresh-keys
> What happened?
> The key ID that I have is 2688DA1A

This is the old key, used up to 2021.
(As documented on  https://www.gpg4win.de/package-integrity.html)

Best Regards

https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20221221/c0ca49f2/attachment.sig>

More information about the Gpg4win-users-en mailing list