Home
My Page
Projects
gpg4win

Forum: help-en

Monitor Forum | Start New Thread Start New Thread
RE: GpgEx Tutorial (?) [ reply ]
By: Jochen Saalfeld on 2017-08-24 05:44
[forum:5071]
Hey,

Thank you for your observation! It is indeed true, that this feature is undocumented. The Usecase is fairly small, since most people tend to verify OpenPGP Signatures with Gpg4win.

You can create a Wiki-Page by yourself (e.g. at https://wiki.gnupg.org/GpgEX/VerifyChecksum) and people will eventually find it!

Thank you for sharing your information! It makes the software work and community work better!

Best wishes,
Jochen

GpgEx Tutorial (?) [ reply ]
By: M B on 2017-08-23 18:39
[forum:5070]
I started with using GPG4Win for veryfying the signed installers as recommended by a.o. Keepass and Veracrypt.
After some time I got it working, and now noticed that GPG4win should also be able to verify the checksums that come with the installers.
As using GUI-based verification (right-click-verify) could a lot of time in theory, I though I try out this nifty feature. However, for the first day, I could not get it to work, nor find any information on how to use it as most Googled tutorials explain how to use GPG4Win/Kleopatra for signature verification, not for hash verification.
It is not mentioned in your Documentation/compandium, and the Wiki entry is empty
https://wiki.gnupg.org/GpgEX

I finally found a site that explained that the file should be named sha1sum.txt and on the format shasum space space filename, and from there on got it to work on a few keys.
I wrote a ' tutorial' for myself of what worked and did not work, and thought I'd share it here. Please tell me if what I found is correct or not. (And if it is correct, please use it to update your wiki. In my search for an answere I found more people struggling how to use it).
Tried on Win10 with WinGPG 2.3.2 and gpg4win-3.0.0-beta279

----
PS:
Of course, once I got here to post I found THIS tutorial, which rejects most of what I found, as it allows a PGP signature in a differently named sha file.....
https://www.howtogeek.com/246332/how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with/

==================
Use only on sha1sum.txt; right-click: More GpgEx Options> Verify checksum.
Do NOT use on file to be verified, it will give an error.

A checksum file contains the sha1 hash, followed by TWO spaces, followed by the filename, finishing with a RETURN and empty line

Creating a (new) Checksum WILL overwrite the current file WITHOUT asking.

The checksum file MUST be named 'sha1sum.txt'
The file MAY contain multiple checksums/filenames
The filename MAY include the directory the file is in
The hash MUST be a sha1 hash (not SHA256, 512, md5 etc)
the hash MAY NOT contain spaces


Examples
Right: sha1sum.txt
---
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 C:/Users/USER/Downloads/KeePass-2.36-Setup.exe

---

OR:
sha1sum.txt
---
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe
26c38609dd4e67bbee65091d09f35356dcac0b58 C:/Users/USER/Downloads/gpg4win-2.3.4.exe

---
WRONG: Filename
Keepass.txt
--
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe

---
WRONG: no empty line
sha1sum.txt
--
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe
---
WRONG: spaces
sha1sum.txt
--
B10B1397 97E2604E 6F14B35C 96A6B07C 658272D2 KeePass-2.36.zip
--
WRONG: SHA256 hash not sha1 hash
sha1sum.txt
--
5FB46A14E19B47E354E3E7D36C9A85965D62A2D181AC746CFF33053A521A77B1 KeePass-2.36.zip
--
Wrong: everything

<KeePass-2.36.zip>
MD5 : 79E4A9E6 DAEBEC2E 0319E650 08E7C2CD
SHA1 : B10B1397 97E2604E 6F14B35C 96A6B07C 658272D2
SHA256 : 5FB46A14 E19B47E3 54E3E7D3 6C9A8596
5D62A2D1 81AC746C FF33053A 521A77B1
Size64 : 00000000 002F52FD







This site is hosted by Intevation GmbH