i went to use gpg-ex to verify from the shortcut menu after downloading the windows .sig file and verify after importing the exe. It didn’t verify. Can someone please check this whenever they get a chance? I also tried decrypt and verify. I also am reporting that the checksums matched though. I think the version from memory for the pc i was fooling with is 5.012 or something thanks.
I won’t have a chance to check it until this Friday as I am away for a bit from that machine. I suppose if someone wanted me to test it earlier i could do so on the linux box i am on.
gpg --verify gpg4win-5.0.1.exe.sig gpg4win-5.0.1.exe
gpg: Signature made Tue 27 Jan 2026 07:14:31 AM EST
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Can’t check signature: No public key
gpg --keyserver hkps://keys.openpgp.org --recv-keys 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: key 528897B826403ADA: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
gpg --verify gpg4win-5.0.1.exe.sig gpg4win-5.0.1.exe
gpg: Signature made Tue 27 Jan 2026 07:14:31 AM EST
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from “Werner Koch (dist signing 2020)” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
so it itsnt listed on the site but this seems to work . it ummh is found on the ubuntu key server.
Usually you can use Microsoft’s own methods to check that the installer is signed by one of the current code signing certificates listed below.
Microsoft will normally display the code signature in an user account control dialog when you try to execute the downloaded file; alternatively you can take a look in the file properties with the explorer.
Since 2021 the signatures are created by one of the official GnuPG release keys (aka certificates) they can be obtained from the GnuPG Homepage or downloaded from public keyservers.
keys.openpgp.org is a single, validating keyserver. A number of experts in the GnuPG community believe that a central and validating keyserver is the wrong concept. A result of its conception is that if will not distribute user ids, unless they are “validated”.
Note that just having a public key is not enough, you also must someone get some evidence that it is from the user you believe it to be. Following a https link to the GnuPG homepage should be fine for this. Keyservers cannot really do that.
Again: Doing a GnuPG verification on the downloadable executable is not necessary at all - check the code signature, that is much easier.
Hope that answers most of your questions!
Bernhard
“Since 2021 the signatures are created by one of the official GnuPG release keys (aka certificates) they can be obtained from the GnuPG Homepage or downloaded from public keyservers.”
…listed on the main site. i must have missed it. If i did miss it, it is easy to miss because the other keys are listed on the main site at a glance from prior years.
Thank you for pointing this out. This definitely solves the perceived problem!
Thanks for the feedback, I think the link is further down on the site because most people that want to check the signature with GnuPG either have the pubkey already. (And the common case is to use the code signature.)