harmancode · September 10, 2022 19:28
diff --git a/gistfile1.txt b/gistfile1.txt
 Installer executable has a signature checked by Windows when it runs.
 In addition to that verification, I'll explain here how to verify its
 digital signature as an example of how to do gpg signature verifications.

 Disclaimer: This gist is a published note for my future self. 
 Use it at your own risk.

 1. Go to https://github.com/notepad-plus-plus/notepad-plus-plus 
 and note the key fingerprint: 

 Key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E

 2. Download the public key

 https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppGpgPub.asc

 3. Display the fingerprint of the downloaded public key

 $ gpg --show-keys --with-fingerprint .\nppGpgPub.asc
 pub   rsa4096 2019-03-11 [SC] [expires: 2024-03-11]
      14BC E436 2749 B2B5 1F8C  7122 6C42 9F1D 8D84 F46E
 uid                      Notepad++ <[email protected]>
 sub   rsa4096 2019-03-11 [E] [expired: 2021-03-11]

 4. Compare and verify the displayed fingerprint is the same with the 
 fingerprint noted in the step 1 above.

 5. Import the public key

 $ gpg --import .\nppGpgPub.asc
 
 6. Go to releases page: 
 https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.4.5

 7. Download the executable and its signature

 8. Verify the signature with the imported public key:

 $ gpg --verify .\npp.8.4.5.Installer.x64.exe.sig .\npp.8.4.5.Installer.x64.exe
 gpg: Signature made 9/6/2022 10:22:29 PM Central Daylight Time
 gpg:                using RSA key 14BCE4362749B2B51F8C71226C429F1D8D84F46E
 gpg: Good signature from "Notepad++ <[email protected]>" [unknown]
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: 14BC E436 2749 B2B5 1F8C  7122 6C42 9F1D 8D84 F46E

 9. The "Good signature" output indicates that this signature is used to sign
 this file.
	Installer executable has a signature checked by Windows when it runs.
	In addition to that verification, I'll explain here how to verify its
	digital signature as an example of how to do gpg signature verifications.

	Disclaimer: This gist is a published note for my future self.
	Use it at your own risk.

	1. Go to https://github.com/notepad-plus-plus/notepad-plus-plus
	and note the key fingerprint:

	Key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E

	2. Download the public key

	https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppGpgPub.asc

	3. Display the fingerprint of the downloaded public key

	$ gpg --show-keys --with-fingerprint .\nppGpgPub.asc
	pub rsa4096 2019-03-11 [SC] [expires: 2024-03-11]
	14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E
	uid Notepad++ <[email protected]>
	sub rsa4096 2019-03-11 [E] [expired: 2021-03-11]

	4. Compare and verify the displayed fingerprint is the same with the
	fingerprint noted in the step 1 above.

	5. Import the public key

	$ gpg --import .\nppGpgPub.asc

	6. Go to releases page:
	https://github.com/notepad-plus-plus/notepad-plus-plus/releases/tag/v8.4.5

	7. Download the executable and its signature

	8. Verify the signature with the imported public key:

	$ gpg --verify .\npp.8.4.5.Installer.x64.exe.sig .\npp.8.4.5.Installer.x64.exe
	gpg: Signature made 9/6/2022 10:22:29 PM Central Daylight Time
	gpg: using RSA key 14BCE4362749B2B51F8C71226C429F1D8D84F46E
	gpg: Good signature from "Notepad++ <[email protected]>" [unknown]
	gpg: WARNING: This key is not certified with a trusted signature!
	gpg: There is no indication that the signature belongs to the owner.
	Primary key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E

	9. The "Good signature" output indicates that this signature is used to sign
	this file.