Gpg python installer

Ned Deily nad at
Thu Apr 2 09:13:22 CEST 2015

In article 
<CAK9B2qgbiGkUAH3w2YMRuogOCQDq132QBXRbQWcP5o1jAxtNyA at>,
 leonardo davinci <leodavinci111 at> wrote:
> I am using Kleopatra(gpg for win) to verify the 3.4.3 python installer,
> Windows x86 MSI
> ><https:// <>
> <>
> /ftp/python/3.4.3/
> <>python-3.4.3.msi
> <>>. This file does
> not have a email in the digital signature and I am having trouble verifying
> the validity of the download.

Unfortunately, verifying the PGP signature of release files isn't the 
most user-friendly process, especially on Windows.  The release files 
from are typically PGP-signed in armored detached signature 
files, in other words, for each release file (like python-3.4.3.msi) 
there is a separate signature file with an appended .asc extension 
(python-3.4.3.msi.asc).  If you go to the downloads page 
( and click on the release in 
question, it should take you to the page for the release 
(  Near the bottom 
of the page, there is a list of downloadable files and to the right of 
each one there is a "GPG" column with a "SIG" link for each file.  
Clicking on the SIG link should download the corresponding signature 
file (python-3.4.3.msi.asc).  I'm not familiar with Kleopatra's 
interface but normally you'd want to download both the installer file 
and its asc file to the same directory/folder and then tell the GPG 
program to verify the asc file.  The PGP/GPG program will also need to 
have access to the public keys of the creators / signers of the 
downloadable files.  You will find them listed near the bottom of the 
Downloads page (

Independently thereof, the Windows installer files are also 
signed with a public-key code signing certificate that should be 
automatically verified by the Windows installer program.  (Likewise, for 
the Mac OS X installer files.)

Hope this helps!

 Ned Deily,
 nad at

More information about the Python-list mailing list