Installation instructions

Checking the software you received

GnuPG VS-Desktop is usually distributed via a download link. Before installing the software, its integrity and authenticity should be checked. This is the only way to prevent that software manipulated by third parties is installed.

3 different procedures are used for this purpose:

  • The Windows Installer (MSI package) has an Authenticode signature of g10 Code GmbH. Windows checks this signature during installation and, in the event of an error, will not allow installation without further security checks.
  • Together with the download link you will also receive a SHA-256 checksum (64 hexadecimal characters) via the Installer (Windows) or the AppImage (Linux). If you consider the mail to be authentic you can use this checksum. You can also use the qualified signature of the respective checksum document and compare it against the checksums there.
  • Every piece of software we deliver comes with an OpenPGP signature, which is created by us via a secured process. You need OpenPGP software to check; this can be an older version of GnuPG VS-Desktop the community version Gpg4win or on Linux systems the existing gpg program.

In the following, we describe how you can carry out the verification in detail.

Verification by means of the OpenPGP signature

If you have already installed GnuPG VS-Desktop, you can and should use it for the verification. For this purpose, please download the current public keys of the GnuPG VS-Desktop project. The address is:

https://gnupg.org/signature_key.asc

After you have saved this file, import it using Kleopatra (File->Import).

You should now authenticate the keys. The procedure is described e.g. in the handout „Sign and encrypt with GnuPG VS-Desktop“. You'll find the fingerprints at https://gnupg.org/signature_key.html. Furthermore, the fingerprints are published with all release announcements (https://lists.gnupg.org/pipermail/gnupg-announce/) and are also available in a document with qualified electronic signature: https://gnupg.org/signature-key.pdf

Usually it is sufficient to certify the „GnuPG.com“ key, as this is normally used for the signature. However, for operational reasons, one of the other keys may have been may have been used. They all have the same validity. After authentication, it should look like this:

Some of these keys are marked as VS-NfD compliant. But the non-compliant keys are just as usable for this use case; the important thing is that they are marked as certified.

A check result using an already installed version of GnuPG VS-Desktop or Gpg4win should look like this:

After the verification you can install or update GnuPG VS-Desktop.

Verification by means of the SHA-256 checksum

When installing for the first time, if you have no possibility to check the OpenPGP signature, you can also compare the checksum supplied.

On Windows, please open the command prompt, switch to the folder that contains the MSI installer and call the program certutil, as in this example:

C:\Users\gpg\Downloads>certutil -hashfile GnuPG-VS-Desktop-3.1.20.7-Standard.msi sha256
SHA256-Hash von GnuPG-VS-Desktop-3.1.20.7-Standard.msi:
d3a032d85e289aff0d8e945a9eb18823538607f47cd5c6dd2b6c44829d2587f0
CertUtil: -hashfile-Command was executed successfully.

You can also perform this test on Linux. Here the utility sha256sum is used:

gpg@wichmann:~/Downloads$ sha256sum GnuPG-VS-Desktop-3.1.20.7-Standard.msi
d3a032d85e289aff0d8e945a9eb18823538607f47cd5c6dd2b6c44829d2587f0  GnuPG-VS-Desktop-3.1.20.7-Standard.msi

Then compare the 64 hexadecimal characters with the checksum, which you received by e-mail or from the checksum file (see above). If this does not match, please check that you have used the correct download link.
If the checksums do not match, do not install the software and inform us about the problem.

Installation on Windows

To install on Windows, simply call up the MSI file. You need administrator rights for this. Please only perform installation with administrator rights but do not start the software with administrator rights.

If you do not want the Outlook-Addin GpgOL as part of your installation, you should carry out the installation from the command prompt in administrator mode. For example, using this command line:

msiexec /quiet /i GnuPG-VS-Desktop-3.1.x.n-Standard.msi INST_GPGOL=false ALLUSERS=1

The parameter INST_GPGOL=false prevents the installation of GpGOL. Other possible options are:

INST_GPGOL=inactive

GpgOL is installed but must be activated manually through the Outlook options. With the corresponding registry key to enable it:

(HKCU/HKLM)\Software\Microsoft\Office\Outlook\Addins\GNU.GpgOL LoadBehavior (REG_DWORD) 3
(For 32 Bit Outlook add WOW6432Node)
INST_GPGEX=false

No entries for GnuPG VS-Desktop are added to the Explorer context menu

INST_BROWSER=true

The extension to support web browsers is installed. Please note that this extension may not be permitted for VS-NfD data.

HOMEDIR=h:\gnupg

The per-user data is not saved under %APPDATA% but in the specified subdirectory of the drive h:.
Take note: This directory must exist prior to the start of the application.

To use environment variables in this path, please start the command with the /v switch. Example:

cmd /v /c msiexec /quiet /i GnuPG-VS-Desktop-3.1.x.n-Standard.msi HOMEDIR="%USERPROFILE%\gnupg"

In a batch file, use %% instead of the simple % character accordingly.

AUTOSTART=true

Starts Kleopatra automatically when logging in, it appears as an icon in the system tray. This greatly speeds up the first call for encrypting and signing files in particular.

INST_DESKTOP=true

Installs a startup shortcut for Kleopatra on the Desktop.

DEFAULT_ALL_SMIME=true

Make Kleopatra the default program for S/MIME file extensions used by Windows.
(.p10, .p12, .pfx, p7c, .cer, .der, .crt) [since 3.1.24.0]

Installation on Linux

Use the link provided to download the AppImage. Copy it to one of the bin directories which are located int the PATH. Run chmod +x gnupg-vs-desktop-3.1.m.n-x86_64.AppImage and call the binary once as "root" with the option -c to install the configuration files.

On Linux /etc/gnupg-vsd is used as global and ~/.gnupg-vsd as local directory. In this way, there are no conflicts with the GnuPG version already present in the system.