Installation instructions
Checking the software you received
GnuPG VS-Desktop is usually distributed via a download link. Before installing the software, its integrity and authenticity should be checked. This is the only way to prevent that software manipulated by third parties is installed.
3 different procedures are used for this purpose:
- The Windows Installer (MSI package) has an Authenticode signature of g10 Code GmbH. Windows checks this signature during installation and, in the event of an error, will not allow installation without further security checks.
- Together with the download link you will also receive a SHA-256 checksum (64 hexadecimal characters) via the Installer (Windows) or the AppImage (Linux). If you consider the mail to be authentic you can use this checksum. You can also use the qualified signature of the respective checksum document (3.1.26, 3.2.0, 3.2.1, 3.2.2) and compare it against the checksums there.
- Every piece of software we deliver comes with an OpenPGP signature, which is created by us via a secured process. You need OpenPGP software to check; this can be an older version of GnuPG VS-Desktop the community version Gpg4win or on Linux systems the existing gpg program.
In the following, we describe how you can carry out the verification in detail.
Verification by means of the OpenPGP signature
If you have already installed GnuPG VS-Desktop, you can and should use it for the verification. For this purpose, please download the current public keys of the GnuPG VS-Desktop project. The address is:
https://gnupg.org/signature_key.asc
After you have saved this file, import it using Kleopatra (File->Import).
You should now authenticate the keys. The procedure is described e.g. in the handout „Sign and encrypt with GnuPG VS-Desktop“. You'll find the fingerprints at https://gnupg.org/signature_key.html. Furthermore, the fingerprints are published with all release announcements (https://lists.gnupg.org/pipermail/gnupg-announce/) and are also available in a document with qualified electronic signature: https://gnupg.org/signature-key.pdf
Usually it is sufficient to certify the „GnuPG.com“ key, as this is normally used for the signature. However, for operational reasons, one of the other keys may have been may have been used. They all have the same validity. After authentication, it should look like this:
Some of these keys are marked as VS-NfD compliant. But the non-compliant keys are just as usable for this use case; the important thing is that they are marked as certified.
A check result using an already installed version of GnuPG VS-Desktop or Gpg4win should look like this:
After the verification you can install or update GnuPG VS-Desktop.
Verification by means of the SHA-256 checksum
When installing for the first time, if you have no possibility to check the OpenPGP signature, you can also compare the checksum supplied.
On Windows, please open the command prompt, switch to the folder that contains the MSI installer and call the program certutil, as in this example:
C:\Users\gpg\Downloads>certutil -hashfile GnuPG-VS-Desktop-3.1.20.7-Standard.msi sha256 SHA256-Hash von GnuPG-VS-Desktop-3.1.20.7-Standard.msi: d3a032d85e289aff0d8e945a9eb18823538607f47cd5c6dd2b6c44829d2587f0 CertUtil: -hashfile-Command was executed successfully.
You can also perform this test on Linux. Here the utility sha256sum is used:
gpg@wichmann:~/Downloads$ sha256sum GnuPG-VS-Desktop-3.1.20.7-Standard.msi d3a032d85e289aff0d8e945a9eb18823538607f47cd5c6dd2b6c44829d2587f0 GnuPG-VS-Desktop-3.1.20.7-Standard.msi
Then compare the 64 hexadecimal characters with the checksum, which
you received by Mail or from the checksum file (see above). If this
does not match, please check that you have used the correct download
link.
If the checksums do not match, do not install the software and
inform us about the problem.
Installation on Windows
To install on Windows, simply call up the MSI file. You need administrator rights for this. Please only perform installation with administrator rights but do not start the software with administrator rights.
If you do not want the Outlook-Addin GpgOL as part of your installation, you should carry out the installation from the command prompt in administrator mode. For example, using this command line:
msiexec /quiet /i GnuPG-VS-Desktop-3.2.x.n-Standard.msi INST_GPGOL=false ALLUSERS=1
The parameter INST_GPGOL=false
prevents the installation of GpGOL.
Other possible options are:
INST_GPGOL=inactive
GpgOL is installed but must be activated manually through the Outlook options. With the corresponding registry key to enable it:
(HKCU/HKLM)\Software\Microsoft\Office\Outlook\Addins\GNU.GpgOL LoadBehavior (REG_DWORD) 3 (For 32 Bit Outlook add WOW6432Node)
INST_GPGEX=false
No entries for GnuPG VS-Desktop are added to the Explorer context menu
INST_BROWSER=true
The extension to support web browsers is installed. Please note that this extension may not be permitted for VS-NfD data.
INST_OKULAR=true
The GnuPG Edition of Okular is installed.
HOMEDIR=h:\gnupg
The per-user data is not saved under
%APPDATA%
but in the specified subdirectory of the driveh:
.
Take note: This directory must exist prior to the start of the application.To use environment variables in this path, please start the command with the /v switch. Example:
cmd /v /c msiexec /quiet /i GnuPG-VS-Desktop-3.2.x.n-Standard.msi HOMEDIR="%USERPROFILE%\gnupg"
In a batch file, use
%%
instead of the simple%
character accordingly.AUTOSTART=true
Starts Kleopatra automatically when logging in, it appears as an icon in the system tray. This greatly speeds up the first call for encrypting and signing files in particular.
INST_DESKTOP=true
Installs a startup shortcut for Kleopatra on the Desktop.
DEFAULT_ALL_SMIME=true
Make Kleopatra the default program for S/MIME file extensions used by Windows.
(.p10, .p12, .pfx, p7c, .cer, .der, .crt)
[since 3.1.24.0]
Installation on Linux
Use the link provided to download the AppImage. Copy it to one of the
bin
directories which are located int the PATH. Run chmod +x
gnupg-vs-desktop-3.2.m.n-x86_64.AppImage
and call the binary once as
"root" with the option -c
to install the configuration files.
On Linux /etc/gnupg-vsd
is used as global and ~/.gnupg-vsd
as
local directory. In this way, there are no conflicts with the GnuPG
version already present in the system.