Bug 507556

Summary: Signature verification cannot find any valid PGP data, but command gpg.exe can
Product: [Applications] kleopatra Reporter: Douglas Silva <doug.hs>
Component: generalAssignee: Ingo Klöcker <kloecker>
Status: REPORTED ---    
Severity: normal CC: aheinecke, mutz, pim-bugs-null
Priority: NOR    
Version First Reported In: gpg4win 4.4.1   
Target Milestone: ---   
Platform: Other   
OS: Microsoft Windows   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Screenshot of Kleopatra verifying the Syncthing signature
Screenshot of Kleopatra verifying the gpg4win signature

Description Douglas Silva 2025-07-27 20:54:33 UTC 
Created attachment 183571 [details]
Screenshot of Kleopatra verifying the Syncthing signature

SUMMARY
Kleopatra fails to locate any valid PGP data in the signature file, while the command-line gpg.exe can.

STEPS TO REPRODUCE
1. Download the Syncthing signed checksum file¹ and the Windows zip file ².
2. With both downloaded files in the same folder, double-click the signature file to open with Kleopatra.

1. https://github.com/syncthing/syncthing/releases/download/v1.30.0/sha256sum.txt.asc
2. https://github.com/syncthing/syncthing/releases/download/v1.30.0/syncthing-windows-amd64-v1.30.0.zip

OBSERVED RESULT
```
sha256sum.txt.asc -> sha256sum.txt: Verification failed: No data.
gpg: nenhum dado OpenPGP válido encontrado.
```
Translated: "no valid OpenPGP data found"

EXPECTED RESULT
Open up a powershell terminal and `cd` to the Downloads folder.
Run `gpg.exe --verify .\sha256sum.txt.asc`

Full output:
```
> gpg.exe --verify .\sha256sum.txt.asc
gpg: nenhum dado OpenPGP válido encontrado.
gpg: Assinatura feita em 07/01/25 08:26:47 E. South America Standard Time
gpg:        usando a chave RSA de FBA2E162F2F44657B38F0309E5665F9BD5970C47
gpg: Assinatura válida de "Syncthing Release Management <release@syncthing.net>" [desconhecido]
gpg: AVISO: Esta chave não está certificada com uma assinatura confiável!
gpg:          Não há indicação que a assinatura pertença ao dono.
Impressão digital da chave principal: FBA2 E162 F2F4 4657 B38F  0309 E566 5F9B D597 0C47
gpg: Assinatura feita em 07/01/25 08:26:47 E. South America Standard Time
gpg:        usando a chave RSA de 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpg: Assinatura válida de "Syncthing Release Management <release@syncthing.net>" [desconhecido]
gpg: AVISO: Esta chave não está certificada com uma assinatura confiável!
gpg:          Não há indicação que a assinatura pertença ao dono.
Impressão digital da chave principal: 37C8 4554 E7E0 A261 E4F7  6E1E D26E 6ED0 0065 4A3E
```

Translation: "gpg: Valid signature from Syncthing Release Management..."

SOFTWARE/OS VERSIONS
Edition	Windows 11 Pro
Version	24H2
Installed on	‎05/‎05/‎2025
OS build	26100.4652
Experience	Windows Feature Experience Pack 1000.26100.128.0


ADDITIONAL INFORMATION
Comment 1 Douglas Silva 2025-07-27 20:59:48 UTC 
Created attachment 183572 [details]
Screenshot of Kleopatra verifying the gpg4win signature

On the other hand, the "gpg4win-4.4.1.exe.sig" file verifies successfully (see screenshot). The only difference I see is that this one is in binary form, not in ASCII.