507556 – Signature verification cannot find any valid PGP data, but command gpg.exe can

Bug 507556 - Signature verification cannot find any valid PGP data, but command gpg.exe can

Summary: Signature verification cannot find any valid PGP data, but command gpg.exe can

Status:	REPORTED

Alias:	None

Product:	kleopatra
Classification:	Applications
Component:	general (other bugs)
Version First Reported In:	gpg4win 4.4.1
Platform:	Other Microsoft Windows

Importance:	NOR normal
Target Milestone:	---
Assignee:	Ingo Klöcker

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-07-27 20:54 UTC by Douglas Silva
Modified:	2025-07-27 21:00 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Screenshot of Kleopatra verifying the Syncthing signature (113.62 KB, image/png) 2025-07-27 20:54 UTC, Douglas Silva	Details
Screenshot of Kleopatra verifying the gpg4win signature (76.54 KB, image/png) 2025-07-27 20:59 UTC, Douglas Silva	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Douglas Silva 2025-07-27 20:54:33 UTC

Created attachment 183571 [details]
Screenshot of Kleopatra verifying the Syncthing signature

SUMMARY
Kleopatra fails to locate any valid PGP data in the signature file, while the command-line gpg.exe can.

STEPS TO REPRODUCE
1. Download the Syncthing signed checksum file¹ and the Windows zip file ².
2. With both downloaded files in the same folder, double-click the signature file to open with Kleopatra.

1. https://github.com/syncthing/syncthing/releases/download/v1.30.0/sha256sum.txt.asc
2. https://github.com/syncthing/syncthing/releases/download/v1.30.0/syncthing-windows-amd64-v1.30.0.zip

OBSERVED RESULT
```
sha256sum.txt.asc -> sha256sum.txt: Verification failed: No data.
gpg: nenhum dado OpenPGP válido encontrado.
```
Translated: "no valid OpenPGP data found"

EXPECTED RESULT
Open up a powershell terminal and `cd` to the Downloads folder.
Run `gpg.exe --verify .\sha256sum.txt.asc`

Full output:
```
> gpg.exe --verify .\sha256sum.txt.asc
gpg: nenhum dado OpenPGP válido encontrado.
gpg: Assinatura feita em 07/01/25 08:26:47 E. South America Standard Time
gpg:        usando a chave RSA de FBA2E162F2F44657B38F0309E5665F9BD5970C47
gpg: Assinatura válida de "Syncthing Release Management <release@syncthing.net>" [desconhecido]
gpg: AVISO: Esta chave não está certificada com uma assinatura confiável!
gpg:          Não há indicação que a assinatura pertença ao dono.
Impressão digital da chave principal: FBA2 E162 F2F4 4657 B38F  0309 E566 5F9B D597 0C47
gpg: Assinatura feita em 07/01/25 08:26:47 E. South America Standard Time
gpg:        usando a chave RSA de 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpg: Assinatura válida de "Syncthing Release Management <release@syncthing.net>" [desconhecido]
gpg: AVISO: Esta chave não está certificada com uma assinatura confiável!
gpg:          Não há indicação que a assinatura pertença ao dono.
Impressão digital da chave principal: 37C8 4554 E7E0 A261 E4F7  6E1E D26E 6ED0 0065 4A3E
```

Translation: "gpg: Valid signature from Syncthing Release Management..."

SOFTWARE/OS VERSIONS
Edition	Windows 11 Pro
Version	24H2
Installed on	‎05/‎05/‎2025
OS build	26100.4652
Experience	Windows Feature Experience Pack 1000.26100.128.0


ADDITIONAL INFORMATION

Comment 1 Douglas Silva 2025-07-27 20:59:48 UTC

Created attachment 183572 [details]
Screenshot of Kleopatra verifying the gpg4win signature

On the other hand, the "gpg4win-4.4.1.exe.sig" file verifies successfully (see screenshot). The only difference I see is that this one is in binary form, not in ASCII.