GpgEx Tutorial (?)

Gpg4win help-en
1

I started with using GPG4Win for veryfying the signed installers as recommended by a.o. Keepass and Veracrypt.
After some time I got it working, and now noticed that GPG4win should also be able to verify the checksums that come with the installers.
As using GUI-based verification (right-click-verify) could a lot of time in theory, I though I try out this nifty feature. However, for the first day, I could not get it to work, nor find any information on how to use it as most Googled tutorials explain how to use GPG4Win/Kleopatra for signature verification, not for hash verification.
It is not mentioned in your Documentation/compandium, and the Wiki entry is empty
https://wiki.gnupg.org/GpgEX

I finally found a site that explained that the file should be named sha1sum.txt and on the format shasum space space filename, and from there on got it to work on a few keys.
I wrote a ’ tutorial’ for myself of what worked and did not work, and thought I’d share it here. Please tell me if what I found is correct or not. (And if it is correct, please use it to update your wiki. In my search for an answere I found more people struggling how to use it).
Tried on Win10 with WinGPG 2.3.2 and gpg4win-3.0.0-beta279

PS:
Of course, once I got here to post I found THIS tutorial, which rejects most of what I found, as it allows a PGP signature in a differently named sha file…
https://www.howtogeek.com/246332/how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with/

==================
Use only on sha1sum.txt; right-click: More GpgEx Options> Verify checksum.
Do NOT use on file to be verified, it will give an error.

A checksum file contains the sha1 hash, followed by TWO spaces, followed by the filename, finishing with a RETURN and empty line

Creating a (new) Checksum WILL overwrite the current file WITHOUT asking.

The checksum file MUST be named ‘sha1sum.txt’
The file MAY contain multiple checksums/filenames
The filename MAY include the directory the file is in
The hash MUST be a sha1 hash (not SHA256, 512, md5 etc)
the hash MAY NOT contain spaces

Examples
Right: sha1sum.txt

5cecfa817642ea40a84e70ef6c7822a41b7aeb77 C:/Users/USER/Downloads/KeePass-2.36-Setup.exe

OR:
sha1sum.txt

5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe
26c38609dd4e67bbee65091d09f35356dcac0b58 C:/Users/USER/Downloads/gpg4win-2.3.4.exe

WRONG: Filename
Keepass.txt

5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe

WRONG: no empty line
sha1sum.txt

5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe

WRONG: spaces
sha1sum.txt

B10B1397 97E2604E 6F14B35C 96A6B07C 658272D2 KeePass-2.36.zip

WRONG: SHA256 hash not sha1 hash
sha1sum.txt

5FB46A14E19B47E354E3E7D36C9A85965D62A2D181AC746CFF33053A521A77B1 KeePass-2.36.zip

Wrong: everything

<KeePass-2.36.zip>
MD5 : 79E4A9E6 DAEBEC2E 0319E650 08E7C2CD
SHA1 : B10B1397 97E2604E 6F14B35C 96A6B07C 658272D2
SHA256 : 5FB46A14 E19B47E3 54E3E7D3 6C9A8596
5D62A2D1 81AC746C FF33053A 521A77B1
Size64 : 00000000 002F52FD

2

Hey,

Thank you for your observation! It is indeed true, that this feature is undocumented. The Usecase is fairly small, since most people tend to verify OpenPGP Signatures with Gpg4win.

You can create a Wiki-Page by yourself (e.g. at https://wiki.gnupg.org/GpgEX/VerifyChecksum) and people will eventually find it!

Thank you for sharing your information! It makes the software work and community work better!

Best wishes,
Jochen