I am following the install guide of "OpenPGP signatures" of Gpg4win at Check integrity of Gpg4win packages.
Having also followed additional advice of how to import the Gpg4win public key first, I end up with a warning, which has been mentioned as a side-note answer at How to verify downloaded file with .sig file?, without making a new question from it:
gpg: Good signature from "Intevation File Distribution Key <distribution-key@intevation.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A
Same in Kleopatra, saying
- "Der verwendete Schlüssel wurde weder von Ihnen noch einem anderen vertrauten Schlüssel beglaubigt."
- translated: "The key used has not been authenticated by you or any other trusted key."
The advice from How to suppress "WARNING: This key is not certified with a trusted signature!" does not remove the warning in my case:
C:\Users\USERNAME\Downloads\gpg4win>gpg --lsign-key "13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A"
outputs:
pub rsa3072/42D876082688DA1A
erzeugt: 2016-11-03 verfällt: 2021-11-02 Nutzung: SC
Vertrauen: unbekannt Gültigkeit: unbekannt
[ unbekannt ] (1). Intevation File Distribution Key <distribution-key@intevation.de>
gpg: no default secret key: Kein geheimer Schlüssel
Schlüssel ist nicht geändert worden, also ist kein Speichern nötig.
or in English, translated with www.DeepL.com/Translator (free version):
pub rsa3072/42D876082688DA1A
created: 2016-11-03 expires: 2021-11-02 usage: SC
trust: unknown
validity: unknown
[ unknown ] (1). Intevation File Distribution Key <distribution-key@intevation.de>
gpg: no default secret key: No secret key
Key has not been changed, so no save is needed.
Checking the "verify" script again throws the same warning:
C:\Users\USERNAME\Downloads\gpg4win>gpg --verify gpg4win*.exe.sig gpg4win*.exe
gpg: Signatur vom 25.11.2020 13:39:05 Mitteleuropõische Zeit
gpg: mittels RSA-Schlüssel 13E3CE81AFEA6F683E466E0D42D876082688DA1A
gpg: Korrekte Signatur von "Intevation File Distribution Key <distribution-key@intevation.de>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört. Haupt-Fingerabdruck = 13E3 CE81 AFEA 6F68 3E46 6E0D 42D8 7608 2688 DA1A
How to fix the warning?
Side-note: I have seen that one of the signature validation points is not fulfilled. Could that be the reason? It says that the certificate is valid till Saturday, 30. April 2022 17:54:41, but the Gpg4win website lets you check the code signing certificate to be valid not after 16:54:41 of that day.
notAfter: 2022-04-30 16:54:41
Best Answer
Technically, you didn't implement the advice. You can see in your output that the command didn't do anything because it was unable to find a private keypair – so nothing got signed even though the command was run:
--lsign-keyand similar signing commands use your private keypair to sign things, so they will only work once you have imported or generated one.Until that's done, just manually compare the signer fingerprint from
--verifywith the one you got from the website. If the fingerprints match, the warning can be safely ignored.You're in a different timezone. Windows shows you the timestamp in local time, but certificate validity is always stored as UTC time, so it always becomes invalid at exactly the same moment (16:54:41 UTC) no matter where you are around the world.
Side note: Authenticode signatures are timestamped (unlike PGP signatures), so once a file has been signed it'll remain valid even after the certificate expires.