provide SHA256 of 'latest' installer file

i dont know whether this is the place to request new features, but i havent found any other…
my request is simple:
provide ‘gpg4win-latest.exe.sha256’ (in https://files.gpg4win.org)

Hi Nikolas,

note that for the latest version, we provide the SHA256 here
https://www.gpg4win.org/package-integrity.html

would that solve your need already?
Regards,
Bernhard

not really;
I’m trying to fetch installers and check hashes of multiple apps as part of what would on linux be called an installer script (which it really isn’t since it doesn’t install the apps - at least not all of them … i don’t expect there to be ‘silent’ flag on the installer file, is there?). I need to be able to always fetch latest version of app (this is available as ‘gpg4win-latest.exe’ in ‘https://files.gpg4win.org’) and hash (hence this request)

Hi Nikolas,

Re: silent flags on the Gpg4win installer:

It used be one there, see https://www.gpg4win.org/doc/en/gpg4win-compendium_35.html (old documentation, but might still work similiar today, haven’t tried in a while)

What do you need the hash for?
You did read https://wiki.gnupg.org/Gpg4win/CheckIntegrity I presume?

Using one of the other integrity checking method is usually better than going the hash way.

Best Regards,
Bernhard

For completion: There are command line tools to check the code signing status on windows.

well the methods mentioned in https://wiki.gnupg.org/Gpg4win/CheckIntegrity are:

  • Method A: UAC will be omitted if the silent installer ends up working (I have yet to try it but from what I read it seems it should) as it’ll be installed from elevated shell instance
  • Method B: file properties - requires manual intervention, therefore won’t be done if the silent installer ends up working
  • Method C: signtool - requires downloading other software -won’t do
  • OpenPGP signatures - requires software to already be installed, which for obvious reasons isn’t a good idea -if the file was malicious I don’t think it’d be excessively hard to make a simple if statement refering to the installer file with hardcoded output value or something similar
  • " [forum:8344]
    For completion: There are command line tools to check the code signing status on windows. " - again: requires downloading other software -won’t do
  • other than that there are only Checksums which can be done using preinstalled powershell cmdlet (Get-FileHash)

Hi Nikolas,
what about the powershell cmdlet Get-AuthenticodeSignature ?
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-authenticodesignature?view=powershell-7.2

According to the documentation it should match your criteria.

Best Regards,
Bernhard