Re: Wireshark 3.2.2 Windows Installer 64-bit - Invalid Signature

[Graham Bloice <graham.bloice () trihedral com>]

On Thu, 5 Mar 2020 at 15:34, Gerald Combs <gerald () wireshark org> wrote:

> On 3/4/20 1:21 PM, Jbugreport () outlook com wrote:
> > Hello,
> >
> > Problem: When I attempt to verify the signature of the Wireshark 3.2.2
> Windows installer (64-bit), I receive a message that the signature is
> invalid. I expected a good signature. Is this a known issue?
> > Windows 10 Pro Version 1903 Build 18362.657 64 bit
> > Gpg4win 3.1.11
> > Attempting to install Wireshark 3.2.2 (Windows 64-bit)
> >
> > Details and Steps to Reproduce:
> > 1) Went to https://www.wireshark.org/download.html and downloaded the
> Windows Installer (64-bit) for Wireshark version 3.2.2; saved the .exe to
> my desktop with the name Wireshark-win64-3.2.2
> > 2) Went to
> https://www.wireshark.org/download/gerald_at_wireshark_dot_org.gpg ,
> selected all of the text, copied it, pasted it into a notepad file, and
> saved it as an .asc file to my desktop with the name
> Wireshark-Code-Signing-Key
> > 3) Successfully imported the key from step 2 into Kleopatra by using
> File>Import
>
> > 4) Went to https://www.wireshark.org/download/SIGNATURES-3.2.2.txt ,
> selected all of the text beginning with and including “-----BEGIN PGP
> SIGNATURE-----“ and ending with and including “-----END PGP
> SIGNATURE-----“, copied it, pasted it into a notepad file, and saved it as
> an .asc file to my desktop with the name Wireshark-win64-3.2.2.exe
>
> This signature is for the text that immediately precedes it, not for any
> of the distribution files. That is, SIGNATURES-3.2.2.txt is a
> self-contained PGP/GPG clearsigned text document as described at
> https://tools.ietf.org/html/rfc4880#section-7. I've never used Kleopatra,
> but it looks like you can verify SIGNATURES-3.2.2.txt by opening it via
> "File → Decrypt/Verify Files...". From there you can compare the
> Wireshark-win64-3.2.2.exe hash values with the file you downloaded. You can
> also check to make sure various packaging systems are using official
> installers, e.g.
>
> https://github.com/Homebrew/homebrew-cask/blob/master/Casks/wireshark.rb
> https://chocolatey.org/packages/wireshark#files
>
>
> However, there's an easier way to verify Wireshark on Windows. Right-click
> on the installer, select "Properties", and make sure it's signed by
> "Wireshark Foundation, Inc.". You can also do this on the command line
> using `signtool verify` if it's available.
Or use the PowerShell cmdlet "Get-AuthenticodeSignature", passing the path
to the file as an argument.

-- 
Graham Bloice

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe