gpg4win expired code signing cert; please renew.
have at anonymous.sex
have at anonymous.sex
Thu Oct 16 20:15:16 CEST 2025
**This post is on the thread’s topic about the gpg4win expired cert.**
On Wed, 15 Oct 2025 20:00:25 -0500, Jay Acuna <mysidia at gmail.com> wrote:
>[...]
>The certificate is not invalid. It has a validity period for signatures
>made by it notAfter July 2, 2025. The key word is new signatures made
>by it. The signing date of May 21, 2025 is within the validity period,
>so the certificate is valid and good.
>[...]
Thanks for the explanation. I understand that Microsoft Authenticode
uses digitally-signed timestamping. However, per my OP, the problem is
a real-world, in-the-wild report by a new user (not me!) with a
Microsoft platform (not me!!). The user got a certificate validation
error on:
Signed file: gpg4win-5.0.0-beta369.exe
Date: **2025-09-05**
That file has a detached PGP .sig by Werner Koch. It cannot be verified
by someone who does not yet have a known-good (Libre|Open)PGP
implementation already installed. To solve this chicken-and-egg
problem...
[Quotes re-arranged for clarity.]
>I don't suggest x509 PKI as the way to authenticate software, [...]
...the x509 PKI provides bootstrap authentication for a first-time
gpg4win user. IIUC, it is *entirely* the reason why the gpg4win project
deals with Microsoft-blessed PKI bureaucracy to distribute the software
that almost the whole FOSS world (except some BSD) uses for digital
signatures on package distribution.
In the 1990ies, I faced the same bootstrap problem with getting my first
PGP. For that first PGP, I bought NAI PGP on CD-ROM off the shelf in a
brick-and-mortar store—at least to help somewhat mitigate any risk of
targeted attacks. x509 PKI is easier, and much more secure. :-)
Always,
have at anonymous.sex
--
A makeshift way to distribute my current PQ-PGP key:
https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250107/4732a382/attachment.key
01A6D81EEAD7EEEC393DEC1401F4894C154E1B8EE32E9059CA5566792A836823
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 297 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251016/d08c2a83/attachment.sig>
More information about the Gnupg-users
mailing list