On Thu, 5 Mar 2020 at 15:34, Gerald Combs <ger...@wireshark.org> wrote:
> On 3/4/20 1:21 PM, jbugrep...@outlook.com wrote: > > Hello, > > > > Problem: When I attempt to verify the signature of the Wireshark 3.2.2 > Windows installer (64-bit), I receive a message that the signature is > invalid. I expected a good signature. Is this a known issue? > > > > Windows 10 Pro Version 1903 Build 18362.657 64 bit > > Gpg4win 3.1.11 > > Attempting to install Wireshark 3.2.2 (Windows 64-bit) > > > > Details and Steps to Reproduce: > > 1) Went to https://www.wireshark.org/download.html and downloaded the > Windows Installer (64-bit) for Wireshark version 3.2.2; saved the .exe to > my desktop with the name Wireshark-win64-3.2.2 > > 2) Went to > https://www.wireshark.org/download/gerald_at_wireshark_dot_org.gpg , > selected all of the text, copied it, pasted it into a notepad file, and > saved it as an .asc file to my desktop with the name > Wireshark-Code-Signing-Key > > 3) Successfully imported the key from step 2 into Kleopatra by using > File>Import > > > 4) Went to https://www.wireshark.org/download/SIGNATURES-3.2.2.txt , > selected all of the text beginning with and including “-----BEGIN PGP > SIGNATURE-----“ and ending with and including “-----END PGP > SIGNATURE-----“, copied it, pasted it into a notepad file, and saved it as > an .asc file to my desktop with the name Wireshark-win64-3.2.2.exe > > This signature is for the text that immediately precedes it, not for any > of the distribution files. That is, SIGNATURES-3.2.2.txt is a > self-contained PGP/GPG clearsigned text document as described at > https://tools.ietf.org/html/rfc4880#section-7. I've never used Kleopatra, > but it looks like you can verify SIGNATURES-3.2.2.txt by opening it via > "File → Decrypt/Verify Files...". From there you can compare the > Wireshark-win64-3.2.2.exe hash values with the file you downloaded. You can > also check to make sure various packaging systems are using official > installers, e.g. > > https://github.com/Homebrew/homebrew-cask/blob/master/Casks/wireshark.rb > https://chocolatey.org/packages/wireshark#files > > > However, there's an easier way to verify Wireshark on Windows. Right-click > on the installer, select "Properties", and make sure it's signed by > "Wireshark Foundation, Inc.". You can also do this on the command line > using `signtool verify` if it's available. > > Or use the PowerShell cmdlet "Get-AuthenticodeSignature", passing the path to the file as an argument. -- Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
