Topic: Wladimir J. van der Laan's signature is expired in KLEOPATRA (Gpg4win-4.0.2) (Read 257 times)

If you are using Windows Security, you can try to add the whole GPG4Win folder to the exclusions list and see if that will work.

• Open the search bar on your Windows machine and start typing "security".
• Click on "Windows Security.
• Under Virus & thread protection settings click on "Manage settings".
• Scroll down until you find Exclusions and click on "Add or remove exclusions".
• Click on the "Add an exclusion" button and select "Folder" from the dropdown menu.
• Find the correct location where you installed Kleopatra and the GPG software and click on "Select Folder".

Check if that changes anything for the better.

It can. GPG4Win's installation directory contents wont delete itself.
If it found that the file contains a similar malicious fingerprint, it will quarantine it and will try to "fix" the file (that may be the cause of the '0kB' file).

Probably not. AV is Windows Security. It is not deleting gpg.exe file. It is deleting its content. The file is there but with not content. Dir command showsd a 0 KB file. Can an AV erased the content of the file without erasing the file itself? Maybe it can... I have no idea.

Thanks.

My bets are on it's AV software deleting the gpg.exe binary (files cannot be corrupted deterministically because they are written to a different part of the hard disk every time its deleted and created again).

In which case, OP should either turn off the AV, or instruct the AV software not to scan C:\Program Files\GPG4Win\gpg.exe .

This doesn't look like an issue with Bitcoin Core nor GPG4Win at all.
I suspect that it's either a hardware issue (HDD, RAM or CPU) or your Antivirus Software deleting the files.

Usually, you just have to do the installation of required software (GPG4Win), importation of keys and certifying them if you want to, only once.
The only recurring part is the actual verification (verify the SHA256sums file and get the binary's SHA2556 hash) everytime you need to verify Bitcoin Core (e.g.: new release).

Hi again, guys:

I have uninstalled GPG4WIN and installed again and now, yes, I can see Wladimir J. van der Laan key. This means that every time I run the command:

C:\Program Files (x86)\GnuPG\bin>gpg.exe --keyserver hkp://keyserver.ubuntu.com --recv-keys 71A3B16735405025D447E8F274810B012346C9A6

I must uninstall GPG4WIN and install it again right after importing any signature key. Then I can click on the SHA256SUMS.asc imported from https://bitcoincore.org/en/download/ and yes, the installer can be verified with the imported key.

Let’s be honest. This is a pain in the heck but is the only way I’ve made it work (let’s say, partially work). It is better than nothing, but do not expect too many people to undergo the hustle of installing a bitcoin node. This is far from becoming a general adopted tech. We well get there sometime in the future, but we’re far from there.

Thanks, anyway.

Thanks a lot.

I tried the command the way you have just written it. I found that right after I used this command for the last time, gpg.exe installation was corrupted. If I checked the program in its installation path it showed 0 KB in its size, instead of

25/04/2022  16:20         1.154.760 gpg.exe

So, I have uninstalled gpg4win entirely and I have installed again. I have written the command now with this output:

C:\Program Files (x86)\GnuPG\bin>gpg.exe --keyserver hkp://keyserver.ubuntu.com --recv-keys 71A3B16735405025D447E8F274810B012346C9A6
gpg: key 74810B012346C9A6: 1 duplicate signature removed
gpg: clave 74810B012346C9A6: "Wladimir J. van der Laan <[email protected]>" 5 firmas nuevas
gpg: Cantidad total procesada: 1
gpg:         nuevas firmas: 5

Now it apparently worked but, no, as you can read below.

Then I have tried another different key and I get an error again. If I list the directory in C:\Program Files (x86)\GnuPG\bin I get this:

C:\Program Files (x86)\GnuPG\bin>dir
 
El volumen de la unidad C es Windows
 El número de serie del volumen es: 3481-4ADD

 Directorio de C:\Program Files (x86)\GnuPG\bin

20/08/2022  08:01              .
20/08/2022  08:01              ..
11/07/2022  13:15           634.864 dirmngr.exe
11/07/2022  13:15            80.880 dirmngr_ldap.exe
11/07/2022  13:15           431.088 gpg-agent.exe
11/07/2022  13:16           274.416 gpg-card.exe
11/07/2022  13:11           132.608 gpg-check-pattern.exe
11/07/2022  13:15           171.504 gpg-connect-agent.exe
11/07/2022  13:15            77.296 gpg-preset-passphrase.exe
11/07/2022  13:15           228.848 gpg-wks-client.exe
20/08/2022  10:39                 0 gpg.exe
11/07/2022  13:15           191.984 gpgconf.exe
11/07/2022  13:15            28.144 gpgme-w32spawn.exe
11/07/2022  13:15           559.088 gpgsm.exe
11/07/2022  13:16           167.408 gpgtar.exe
11/07/2022  13:16           575.984 gpgv.exe
11/07/2022  13:11           271.360 keyboxd.exe
11/07/2022  13:16            92.024 libassuan-0.dll
11/07/2022  13:16         1.230.880 libgcrypt-20.dll
11/07/2022  13:16           195.336 libgpg-error-0.dll
11/07/2022  13:16           345.032 libgpgme-11.dll
11/07/2022  13:16           254.440 libksba-8.dll
11/07/2022  13:16            38.608 libnpth-0.dll
11/07/2022  13:16         1.102.208 libsqlite3-0.dll
11/07/2022  13:16            81.904 pinentry-basic.exe
11/07/2022  13:17           568.304 scdaemon.exe
11/07/2022  13:17           115.184 zlib1.dll
              25 archivos      7.849.392 bytes
               2 dirs  191.618.043.904 bytes libres

Look at the size of gpg.exe program! Empty! And if I open KLEOPATRA it does not show any certificate or import keys.

If I double clic on SHA256SUMS.asc that I downloaded from https://bitcoincore.org/en/download/, along with Windows installer, I get an error message that shows that KLEOPATRA and the whole GPG program installation has been corrupted right after importing that key.

So, still, not working. Thanks a lot, anyway.

Yes, now you can see that folowing nc50lc instructions, I have imported Wladimir J. van der Laan key and your’re right, it contains a valid email. But as you can see in my message bellow, I still cannot use this keys as GPG installation breaks down right after importin just one key.

As you can read in next post, still, not working. Thanks a lot, anyway.

Like in my instruction, setting it to Kleopatra will only change the server of its "Lookup on server..." tool (I guess it's the language barrier's fault).
For commands, you should indicate the server after "--keyserver".

So the command should be:

I have tried changing the server address as you mention and first I made sure the directory was the right one to write the command, and I tried with three random keys. My OS is in Spanish, but I translate: "gpg: recepción del servidor de claves fallida: Certificado caducado" mans "keys reception from server failed: certificate expired".

This is the output to the dir command to make sure I was in the right directory and then the three failed keys import:

C:\Program Files (x86)\GnuPG\bin>dir
 El volumen de la unidad C es Windows
 El número de serie del volumen es: 3481-4ADD

 Directorio de C:\Program Files (x86)\GnuPG\bin

06/07/2022  06:35              .
06/07/2022  06:35              ..
25/04/2022  16:20           633.032 dirmngr.exe
25/04/2022  16:20            79.560 dirmngr_ldap.exe
25/04/2022  16:20           425.672 gpg-agent.exe
25/04/2022  16:21           272.584 gpg-card.exe
25/04/2022  16:17           131.584 gpg-check-pattern.exe
25/04/2022  16:20           169.672 gpg-connect-agent.exe
25/04/2022  16:20            76.488 gpg-preset-passphrase.exe
25/04/2022  16:20           227.528 gpg-wks-client.exe
25/04/2022  16:20         1.154.760 gpg.exe
25/04/2022  16:20           189.640 gpgconf.exe
25/04/2022  16:21            27.336 gpgme-w32spawn.exe
25/04/2022  16:21           554.696 gpgsm.exe
25/04/2022  16:21           166.088 gpgtar.exe
25/04/2022  16:21           574.664 gpgv.exe
25/04/2022  16:17           270.336 keyboxd.exe
25/04/2022  16:21            91.216 libassuan-0.dll
25/04/2022  16:21         1.230.072 libgcrypt-20.dll
25/04/2022  16:21           194.528 libgpg-error-0.dll
25/04/2022  16:21           344.224 libgpgme-11.dll
25/04/2022  16:21           253.632 libksba-8.dll
25/04/2022  16:21            37.800 libnpth-0.dll
25/04/2022  16:21         1.101.400 libsqlite3-0.dll
25/04/2022  16:21            81.096 pinentry-basic.exe
25/04/2022  16:21           564.424 scdaemon.exe
25/04/2022  16:21           114.376 zlib1.dll
              25 archivos      8.966.408 bytes
               2 dirs  192.866.111.488 bytes libres

C:\Program Files (x86)\GnuPG\bin>gpg.exe --keyserver hkp://keys.openpgp.org --recv-keys 71A3B16735405025D447E8F274810B012346C9A6
gpg: recepción del servidor de claves fallida: Certificado caducado

C:\Program Files (x86)\GnuPG\bin>gpg.exe --keyserver hkp://keys.openpgp.org --recv-keys 9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C
gpg: recepción del servidor de claves fallida: Certificado caducado

C:\Program Files (x86)\GnuPG\bin>gpg.exe --keyserver hkp://keys.openpgp.org --recv-keys E944AE667CF960B1004BC32FCA662BE18B877A60
gpg: recepción del servidor de claves fallida: Certificado caducado

Thanks, anyway.

You should use "hkp://" not "hkps://" like in my example, otherwise it'll not work in Kleopatra.
Also, setting it in Kleoparta isn't necessary if you'll use the command line, but go on if you're going to use Kleopatra's "Lookup on Server..." menu.

That's not true. At least one key, mine, is. I'm pretty sure the rest do too.

"nc50lc": I have tried hkps://keyserver.ubuntu.com that is the default server in Kleopatra and still, it does not import keys.
"NotATether": none of the keys in https://github.com/bitcoin/bitcoin/blob/master/contrib/builder-keys/keys.txt contain a verified email. So I guess I'm stuck and there is no way to verify Bitcoin Core 23.0 version.

It may be due to the bug mentioned here: https://keys.openpgp.org/about/faq#older-gnupg - it's not really a bug, but it's refusing to import keys that are unverified, because the patch that would've allowed it to do so was labelled as WONTFIX.

Try to use a different keyserver; for some reason, "keys.openpgp.org" doesn't seem to work at my end as well.
You can use "hkp://keyserver.ubuntu.com", but any other reputable keyserver will do.

Thanks for the information. I have entered the web https://bitcoincore.org/en/download/ to follow the instructions on how to verify download files. I'm having problems when importing the keys from the list https://github.com/bitcoin/bitcoin/blob/master/contrib/builder-keys/keys.txt. I'm following the instructions and by using this example:

"For example, given the builders-key/keys.txt line E777299FC265DD04793070EB944D35F9AC3DB76A Michael Ford (fanquake)you could load that key using this command:

C:\Program Files\Gnu\GnuPg\gpg.exe --keyserver hkps://keys.openpgp.org --recv-keys E777299FC265DD04793070EB944D35F9AC3DB76A

The output of the command above should say that one key was imported, updated, has new signatures, or remained unchanged."

In my case, gpg.exe file is in this path C:\Program Files (x86)\GnuPG\bin>. So if I try to import this key 71A3B16735405025D447E8F274810B012346C9A6 Wladimir J. van der Laan (laanwj), I'm using this command:

C:\Program Files (x86)\GnuPG\bin>gpg.exe --keyserver hkps://keys.openpgp.org --recv-keys 71A3B16735405025D447E8F274810B012346C9A6

The output says "gpg: recepción del servidor de claves fallida: El servidor ha indicado un fallo" (my OS is in Spanish so the translation would be "key server reception failed: server indicated an error").

If I try the command gpg --refresh-keys this is the output:

C:\Program Files (x86)\GnuPG\bin>gpg --refresh-keys
gpg: renovando 4 claves desde hkps://keyserver.ubuntu.com (translation: renewing 4 keys from hkps://keyserver.ubuntu.com)
gpg: renovación al servidor de claves fallida: El servidor ha indicado un fallo (translation: key server reception failed: server indicated an error)

Any idea on how to import the keys. I have looked up how to do it from Kleopatra and I haven't found a way yet.

Bitcoin.org is no longer the official website for Bitcoin Core. You should download releases from bitcoincore.org, and use the verification instructions there. Bitcoin.org also does not have the most recent releases. Lastly, Bitcoin Core is changing how releases are signed and the current 23.0 release and all future releases will no longer by signed by the release key. Rather they will be signed by a large number of Bitcoin Core developers and you can verify the signature(s) with whichever developers' keys you wish.

Your software should be able to retrieve and update keys from a keyserver. The keyserver that Bitcoin Core primarily uses is keys.openpgp.org. You can also download the key directly from https://bitcoincore.org/keys/laanwj-releases.asc

I’m trying to find updated Wladimir J. van der Laan’s releases key and  Wladimir J. van der Laan’s regular key from the website https://bitcoin.org/en/full-node#windows-10. When I import it into KLEOPATRA (Gpg4win-4.0.2), they show up as “expired”. Can anyone tell me where to find updated Wladimir J. van der Laan’s keys? I’m running Windows 10 OS.