**This post is on the thread’s topic about the gpg4win expired cert.**
On Wed, 15 Oct 2025 20:00:25 -0500, Jay Acuna <[email protected]> wrote:
[...]The certificate is not invalid. It has a validity period for signatures made by it notAfter July 2, 2025. The key word is new signatures made by it. The signing date of May 21, 2025 is within the validity period, so the certificate is valid and good.[...]
Thanks for the explanation. I understand that Microsoft Authenticode uses digitally-signed timestamping. However, per my OP, the problem is a real-world, in-the-wild report by a new user (not me!) with a Microsoft platform (not me!!). The user got a certificate validation error on:
Signed file: gpg4win-5.0.0-beta369.exe Date: **2025-09-05**That file has a detached PGP .sig by Werner Koch. It cannot be verified by someone who does not yet have a known-good (Libre|Open)PGP implementation already installed. To solve this chicken-and-egg problem...
[Quotes re-arranged for clarity.]
I don't suggest x509 PKI as the way to authenticate software, [...]
...the x509 PKI provides bootstrap authentication for a first-time gpg4win user. IIUC, it is *entirely* the reason why the gpg4win project deals with Microsoft-blessed PKI bureaucracy to distribute the software that almost the whole FOSS world (except some BSD) uses for digital signatures on package distribution.
In the 1990ies, I faced the same bootstrap problem with getting my first PGP. For that first PGP, I bought NAI PGP on CD-ROM off the shelf in a brick-and-mortar store—at least to help somewhat mitigate any risk of targeted attacks. x509 PKI is easier, and much more secure. :-)
Always, [email protected] -- A makeshift way to distribute my current PQ-PGP key: https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250107/4732a382/attachment.key 01A6D81EEAD7EEEC393DEC1401F4894C154E1B8EE32E9059CA5566792A836823
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
