GnuPGP Verification/Decryption of installation file fails in Kleopatra (Gpg4Win)

AB-Dave · February 10, 2022, 6:37am

I downloaded the installation file “Cryptomator-1.6.5-x64.msi” and its PGP signature file “Cryptomator_1.6.5-x64.msi.asc” and tried to verify/decrypt the PGP signature in Gpg4Win’s Kleopatra (latest version installed using Gpg4win, 3.1.16), but the verification/decryption fails with the error messages

“Cryptomator-1.6.5-x64.msi ----> Cryptomator-1.6.5x64.msi.out: Decryption failed: No data.”

(The error message shows the .out file stroked out with a horizontal line through the middle of the file name)

and

“Input error: Unknown error”

I believe I already had the latest Cryptomator public key imported into Kleopatra (along with an expired key) when I first tried to verify/decrypt the version 1.6.5 installation .msi file. When I created a new public key file on my computer by copying and pasting the public key text (shown on the download page) into a text file and naming it as “Cryptomator-1.6.5-x64.msi.asc”, and I tried to import it as the Cryptomator public certificate into Kleopatra, Kleopatra didn’t seem to import it (presumably because Kleopatra already had the public key installed).

When Kleopatra failed to verify/decrypt the .msi installation file using the new public certificate that I created from the signature text shown on the download page, I changed the signature file extension name from “.asc” to “.sig”, but this didn’t work either.

I checked the fingerprint of the Cryptomator public key certificate in Kleopatra (using Properties of the Cryptomator public certificate) and the fingerprint matches the fingerprint shown on the download page for the public key/certificate.

I checked the SHA-256 hash of the Cryptomator-1.6.5-x64.msi installation file using Karenware’s Hasher tool and the SHA-256 code generated by Hasher matches the SHA-256 hash code shown on the Cryptomator download page for the Cryptomator-1.6.5-x64.msi installation file.

It would appear that I have the correct public key/certificate for Crytomator installed in Kleopatra and the Cryptomator .msi installation file that I downloaded has the correct SHA-256 hash code, but I think I should be able to verify the signature of the installation file in order to have complete assurance that the file hasn’t somehow been tampered with.

I’m not all that familiar or used to using Gnu4Win, Kleopatra and/or GnuPGP and the documentation for them doesn’t seem to address my problem, so please bear with me. As far as I can tell, I’m doing everything correctly that I have managed to do previously for other Windows app installation files and their respective PGP signature files/certificates and I’ve never encountered the above errors before. The only thing that has ever happened in Kleopatra was when I forgot to certify the public certificate using my own personal certificate - Kleopatra would verify the installation file but it would not show the verification window as “all green” in colour unless I certified the public certificate.

Has anyone got any ideas why Kleopatra is giving the above errors?
Can a file have the correct SHA-256 code and still somehow be corrupt or have been tampered with?

Thanks.

Dave

overheadhunter · February 10, 2022, 11:47am

What command did you use exactly? Seems like you’re attempting to decrypt, not verify the msi.

In theory, yes. But extremely unlikely unless an attacker with humongous resources tampered with it.

Edit: This reminds me, we should publish “how to check the installer signature” in our docs…

github.com/cryptomator/docs

How to check installer signatures

cryptomator:1.6 ← cryptomator:22-check-sig

opened 12:38PM - 21 Apr 21 UTC

overheadhunter

+49 -0

Fixes #22 ## Windows <img width="716" alt="Screenshot 2021-04-21 at 14 35 …54" src="https://user-images.githubusercontent.com/1204330/115554782-22196c00-a2af-11eb-8b49-cce5d38dd080.png"> ## Linux ![Screenshot from 2022-02-11 12-39-37](https://user-images.githubusercontent.com/1786772/153585345-f7844178-cece-48b5-a001-961473f09939.png)

AB-Dave · February 10, 2022, 8:34pm

Thanks for responding. After receiving your response, I managed to solve my problem. For the details, see below.

I was using the Windows Kleopatra GUI. It has one function labeled “Decrypt/Verify” located under the “File” main menu and as a toolbar button. As far as I am aware, to verify a file, I need to click on this function and a window opens up allowing me to select the file that I want to verify. It is assumed that the folder containing the file also contains the files PGP signature file.

I did some more playing around and research in the latest Gpg4Win documentation (Gpg4Win Compendium version 3.16), and I spent a considerable amount of time comparing Cryptomator/Cryptobot public key signature files (as text files) using Winmerge.

It appears I had partial, i.e. corrupted public key file installed in Kleopatra. I played around comparing Cryptomator/Cryptobot public key files/certificates that I had previously downloaded back in November 2021, against what was supposed to be the latest Cryptobot Releases public certificate installed in Kleopatra (that I probably imported into Kleopatra back in November), and against the public key text shown on the Crytomator download page. I did this by exporting the installed public certificate from Kleopatra as text using the Kleopatra “Export” function and saving the export as a text file and then using Winmerge to compare this exported file/certificate to the public key text from the Crytopmator download web page, and to the previously downloaded Cryptomator public key certificate/file I had created several months ago.

I noticed that the file/text that I exported from Kleopatra was significantly different from the public key text shown on the Cryptomator download page, and that the download page text matched the text of the Cryptomator public key file that I had created some months ago.

For some reason, the certificate text installed in Kleopatra (i.e. the certificate text that I had exported from Kleopatra) was truncated so that it was missing a significant amount of text at the end of the file. The weird thing is, when I checked this file/certificate’s fingerprint in Kleopatra by examining its properties, Kleopatra showed the exact same fingerprint as the one shown on Cryptomator’s download page below the Public Key text window (Huh? How can that happen). This is what led me to believe that I had the correct Crytomator/Cryptobot public key installed in Kleopatra.

I deleted the Cryptobot public certificate from Kleopatra and then re-created the Cryptobot public key certificate file by copying and saving the Cryptomator public key text file from the download page into a new text file and saving the file with an .asc extension.

I then imported this new certificate file into Kleopatra and certified it using my own personal private key certificate (that I had previously created) and then tried performing the “Decrypt/Verify” function again for the Cryptomator-1.6.5-x64.msi file. The same “invalid data” error as before occurred again.

I then tried doing the verification again, but this time instead of selecting the .msi installation file that I had downloaded from the Cryptomator download page, I selected the .msi installation file’s corresponding signature file, i.e. I selected “Cryptomator-1.6.5-x64.msi.asc”. This time Kleopatra succeeded in verifying things - the original “invalid data” error was gone and the verification window displayed by Kleopatra showed all green colour along with the messages

" Verified ‘Cryptomator-1.6.5-x64.msi’ with ‘Cryptomator-1.6.5-x64.msi.asc’:
“Valid signature by releases@crytomator.org”

“Signature created on Thursday, December 16, 2021 5:47:35 AM With certificate:
Crytobot releases@crytomator.org (615D 449F E6E6 A235)
The signature is valid and teh certificate’s validity is fully trusted”

So, it appears things in Kleopatra are now working with respect to being able to verify Cryptomator downloaded installation files using the latest Cryptomator/Crytobot public key certificate/file. But it has been a frustrating and confusing experience. As I noted previously, I’m not all that knowledgeable with how to use Gnu4Win and Kleopatra. I have the latest Gpg4Win Compendium documentation (version 3.1.16) but it is still out dated in that it shows the Kleopatra GUI pages/menus of a previous version of Kleopatra. I’ve more or less had to fumble my way through learning how to use Kleopatra to verify signatures of other application installation files. I’ve encountered the odd snag but eventually got things to work for them. I previously had no problems with verifying prevous releases of Cryptomator installation files and with using the old (now expired) Cryptomator public key certificate.

I think the thing that messed things up for me this time is the fact that when I checked the fingerprint of the Cryptomator/Cryptobot public key/certificate in Kleopatra, it showed that the certificate had the correct fingerprint even though the certificate was corrupted. I only became aware of the corruption by exporting the certificate from Kleopatra and examining the corresponding text visually and by using Winmerge to compare the exported data to the data of a newly created public key file. Perhaps the developers of Gpg4Win need to look into this?

Anyway, thanks again for getting back to me. Your reply sort of “jogged” my thought processes and prompted me to go back and look at the public key certificates/files within both Kleopatra, on the Cryptomator download page and already existing on my computer from before.

Cheers!

Dave