Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Wireshark 3.2.2 Windows Installer 64-bit - Invalid Signature

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Thu, 5 Mar 2020 12:33:20 -0800
On 3/4/20 1:21 PM, Jbugreport@xxxxxxxxxxx wrote:
> Hello,
> 
> Problem: When I attempt to verify the signature of the Wireshark 3.2.2 Windows installer (64-bit), I receive a message that the signature is invalid. I expected a good signature. Is this a known issue?
> 
> Windows 10 Pro Version 1903 Build 18362.657 64 bit
> Gpg4win 3.1.11
> Attempting to install Wireshark 3.2.2 (Windows 64-bit)
> 
> Details and Steps to Reproduce:
> 1) Went to https://www.wireshark.org/download.html and downloaded the Windows Installer (64-bit) for Wireshark version 3.2.2; saved the .exe to my desktop with the name Wireshark-win64-3.2.2
> 2) Went to https://www.wireshark.org/download/gerald_at_wireshark_dot_org.gpg , selected all of the text, copied it, pasted it into a notepad file, and saved it as an .asc file to my desktop with the name Wireshark-Code-Signing-Key
> 3) Successfully imported the key from step 2 into Kleopatra by using File>Import

> 4) Went to https://www.wireshark.org/download/SIGNATURES-3.2.2.txt , selected all of the text beginning with and including “-----BEGIN PGP SIGNATURE-----“ and ending with and including “-----END PGP SIGNATURE-----“, copied it, pasted it into a notepad file, and saved it as an .asc file to my desktop with the name Wireshark-win64-3.2.2.exe

This signature is for the text that immediately precedes it, not for any of the distribution files. That is, SIGNATURES-3.2.2.txt is a self-contained PGP/GPG clearsigned text document as described at https://tools.ietf.org/html/rfc4880#section-7. I've never used Kleopatra, but it looks like you can verify SIGNATURES-3.2.2.txt by opening it via "File → Decrypt/Verify Files...". From there you can compare the Wireshark-win64-3.2.2.exe hash values with the file you downloaded. You can also check to make sure various packaging systems are using official installers, e.g.

https://github.com/Homebrew/homebrew-cask/blob/master/Casks/wireshark.rb
https://chocolatey.org/packages/wireshark#files


However, there's an easier way to verify Wireshark on Windows. Right-click on the installer, select "Properties", and make sure it's signed by "Wireshark Foundation, Inc.". You can also do this on the command line using `signtool verify` if it's available.