IMO, a bad Authenticode signature which *actually* fails validation with error on Microsoft OS is a bug in beta-369. Well, beta means to shake out bugs! I respectfully suggest these fixes:
I agree this is a bug in beta-369 that needs fixing. Werner has said it will be fixed prior to the official 5.0 release. That's enough for me: the bug has been reported, received, and an action plan for it exists.
2. Review gpg4win release engineering procedure to add guardrail check for invalid Authenticode sig. To protect non-beta releases, too, automated regression test...
I hate to be the one to tell you this, but GnuPG has no continuous integration and not much in the way of automated regression tests. (I have not looked for these things lately: it's possible they've been recently introduced.) I don't disagree that CI is useful and that it would be nice to see GnuPG adopt it. However, I wouldn't hold my breath waiting.
I myself can easily verify your PGP dist sig. But this does not help the PGP-newbie...
(a) it's not PGP, which is a trademark of ... I think Broadcom bought the rights to Symantec which bought the rights from ... man, keeping track of who owns the PGP intellectual property is just too much work. But it's proprietary and belongs to someone else. Let's not use those letters. :) (b) the relevant standard is LibrePGP, which is not trademarked. (c) if this user is new to GnuPG, please don't start them off on a beta release. Beta releases have bugs and inadequacies and the documentation is often not ready and everything else. Please stick to official releases. Yes, this means you'll not be able to use FIPS 203 and PQC. Fortunately, that really doesn't matter.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
