SOVLED: Checking .asc files with GUI

[bastik]

Problem: Checking .asc files under windows is painful.

There's certainly a need for it.

Background: Some developers sign theier software with PGP or GPG.
GPG is a command line tool and there fore requires some typing.

Normal work flow:
- Download software and signature file. (Lets asume to C:\Download)
- Open CMD
- type "C:\Program Files\Gnu\GnuPg\gpg.exe --verify C:\Download\Installer.exe.asc C:\Download\Installer.exe (note it's C:\Program Files (x86) for 64bit systems)

Technical background:
- gpg.exe require the public key of the signer
- gpg.exe checks the checksum of installer.exe and the signature, both have to be vaild
- gpg.exe returns:

gpg: Signature made TTT MMM YYYY hh:mm:ss AM/PM EDT using RSA key ID [ID]
gpg: Good signature from "[Name] <[email]>"
gpg:                 aka "[Name] <[email]>" {if any, can be more than one}
gpg: WARNING: This key is not certified with a trusted signature! {whenever it's a known key, but no trust level is set}
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: HXHX HXKX HXHX HXHX HXHX  HXHX HXHX HXHX HXHX HXHX {hex fingerprint}
when everything is OK.

A tool should make this easier.

The tool should allow selection of an .asc file (one at a time seems to be OK) and the corresponding  signed download (can be anything, and maybe is not named) and pass those information to gpg.exe and return the results to the user. It's a GUI for gpg.exe, I think. Well not a fully GUI, just for the verification function. The tool just passes everything to gpg.exe and does not do any cryptographically related work.

Requirements:
- Allow path selection for singature file (.asc)
- Allow path selection for signed file
- Return the results

Optional:
- Allow selection of the path where gpg.exe is installed
- Interpret the results and give user-friendly feedback*
- portable
- or a shell extension (right click menu)
- Whenever the tools parses/interprets the results it would be cool when it could remember the ID and the fingerprint and warn when both don't match on the next check.

* E.g.
"[Signed file] was signed at TT MM YYYY hh:mm:ss AM/PM with key [ID] by [Name] [email]! The signature is vaild! Key Fingerprint: [HXHX .....]. Details"
Where details is a button or link, that shows the full results.

"The key [ID] is not know." or "The key [ID] is not in your keyring. Please add it to your keyring." Whenever the public key of the signer is not know to gpg.exe

[MilesAhead]

I don't use GPG so I can't tell how useful this utility is or isn't:

http://www.softpedia...elated/GPGView.shtml

[bastik]

@MilesAhead

GPGView is for opening encrypted .enc files. Apparently files containing text.

Your suggestion and my "idea" to call it GUI made me look into available GUIs. All sign, encrypt, decrypt and verify text messages.

Now the funniest thing. It's installed an my system. There's a bundle called GnuPT, which contains WinPT (Windows Privacy Tray), which I always look at as key management tool and remained unused as I used a different key-manager. Now it's the case that WinPT does what I looked for.

All the years of searching a tool with a graphical interface for checking signatures of files (with separate signature file), all the questions I ask if there isn't an easier way to do that. it's there. It's right there.

D*mn the internet for not helping me... and thanks to the internet for providing this forum. And the cool thing about this is that Google already indexed this thread. I searched and haven't found it. Now it's easier. (this thread is on top of the results)

I'm terribly sorry.  I might not have the right to move this thread to some place where it makes more sense, since this doesn't belong here.

Edit: This is a good example where even things/replies that don't help in the first place are still helpful. Whenever one comes up with something, please point to things that already work or just what's your point.

I feel like: "I got a need for something round that's rolling. It could be used to move heavy load. We shall call it wheel. Can anyone invent that?"

[MilesAhead]

Similar things have happened to me. I often point people in the right direction instead of hitting the solution dead on. I've been doing searches a long time. I guess hitting the oblique is second nature to me now. Nice that someone uses the result without chastising me for not getting it exact. I can't count how many times that has happened. "You should have pointed me here:" then they paste about 20 screens of copyrighted material into the forum. Heh heh

Glad you got it, whatever it is exactly.

[skwire]

I'm terribly sorry.  I might not have the right to move this thread to some place where it makes more sense, since this doesn't belong here.

-bastik (February 28, 2012, 01:57 PM)

No need to apologise, bastik, as that's what these forums are for.  Welcome to the site as well.  I'll mark this thread as solved and move it for you.