0

I am following the install guide of "OpenPGP signatures" of Gpg4win at Check integrity of Gpg4win packages.

Having also followed additional advice of how to import the Gpg4win public key first, I end up with a warning, which has been mentioned as a side-note answer at How to verify downloaded file with .sig file?, without making a new question from it:

gpg: Good signature from "Intevation File Distribution Key <distribution-key@intevation.de>" [unknown] 
gpg: WARNING: This key is not certified with a trusted signature! 
gpg:          There is no indication that the signature belongs to the owner. Primary key fingerprint: 13E3 CE81 AFEA 6F68 3E46  6E0D 42D8 7608 2688 DA1A

Same in Kleopatra, saying

  • "Der verwendete Schlüssel wurde weder von Ihnen noch einem anderen vertrauten Schlüssel beglaubigt."
  • translated: "The key used has not been authenticated by you or any other trusted key."

enter image description here

The advice from How to suppress "WARNING: This key is not certified with a trusted signature!" does not remove the warning in my case:

C:\Users\USERNAME\Downloads\gpg4win>gpg --lsign-key "13E3 CE81 AFEA 6F68 3E46  6E0D 42D8 7608 2688 DA1A"

outputs:

pub  rsa3072/42D876082688DA1A                                                                                                 
erzeugt: 2016-11-03  verfällt: 2021-11-02  Nutzung: SC                                                                  
Vertrauen: unbekannt     Gültigkeit: unbekannt                                                                     
[ unbekannt ] (1). Intevation File Distribution Key <distribution-key@intevation.de>                                                                                                                                                            
gpg: no default secret key: Kein geheimer Schlüssel                                                                                                                                                                                             
Schlüssel ist nicht geändert worden, also ist kein Speichern nötig.

or in English, translated with www.DeepL.com/Translator (free version):

pub rsa3072/42D876082688DA1A 
created: 2016-11-03 expires: 2021-11-02 usage: SC 
trust: unknown 
validity: unknown 
[ unknown ] (1). Intevation File Distribution Key <distribution-key@intevation.de> 
gpg: no default secret key: No secret key 
Key has not been changed, so no save is needed.

Checking the "verify" script again throws the same warning:

C:\Users\USERNAME\Downloads\gpg4win>gpg --verify gpg4win*.exe.sig gpg4win*.exe

gpg: Signatur vom 25.11.2020 13:39:05 Mitteleuropõische Zeit

gpg:                mittels RSA-Schlüssel 13E3CE81AFEA6F683E466E0D42D876082688DA1A

gpg: Korrekte Signatur von "Intevation File Distribution Key <distribution-key@intevation.de>" [unbekannt]

gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!

gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.                       Haupt-Fingerabdruck  = 13E3 CE81 AFEA 6F68 3E46  6E0D 42D8 7608 2688 DA1A

How to fix the warning?

Side-note: I have seen that one of the signature validation points is not fulfilled. Could that be the reason? It says that the certificate is valid till Saturday, 30. April 2022 17:54:41, but the Gpg4win website lets you check the code signing certificate to be valid not after 16:54:41 of that day.

notAfter: 2022-04-30 16:54:41

enter image description here

questionto42
  • 2,691

1 Answers1

1

The advice from How to suppress "WARNING: This key is not certified with a trusted signature!" does not remove the warning in my case:

Technically, you didn't implement the advice. You can see in your output that the command didn't do anything because it was unable to find a private keypair – so nothing got signed even though the command was run:

gpg: no default secret key: Kein geheimer Schlüssel
gpg: no default secret key: No secret key 
Key has not been changed,

--lsign-key and similar signing commands use your private keypair to sign things, so they will only work once you have imported or generated one.

Until that's done, just manually compare the signer fingerprint from --verify with the one you got from the website. If the fingerprints match, the warning can be safely ignored.

Side-note: I have seen that one of the signature validation points is not fulfilled. Could that be the reason? It says that the certificate is valid till Saturday, 30. April 2022 17:54:41, but the Gpg4win website lets you check the code signing certificate to be valid not after 16:54:41 of that day.

You're in a different timezone. Windows shows you the timestamp in local time, but certificate validity is always stored as UTC time, so it always becomes invalid at exactly the same moment (16:54:41 UTC) no matter where you are around the world.

Side note: Authenticode signatures are timestamped (unlike PGP signatures), so once a file has been signed it'll remain valid even after the certificate expires.

grawity
  • 501,077