I’d appreciate some help describing how to verify the gpg4win download.
You can download “sha1sum.exe” here:
ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe
Place the .exe in your downloads folder (or whatever folder you download to). After downloading Gpg4Win, open the command prompt. Type the following:
C:\Users\Owner>cd downloads
C:\Users\Owner\Downloads>sha1sum gpg4win-2.2.0.exe
You should get this result:
0c7e01c4a39029c6d3fa88c0d1d1f2388fdb5151 gpg4win-2.2.0.exe
If your result is the same, the file is verified.
Regards,
Sean C.
Thank you very much for the easy to understand directions.
I was also curious how to verify the download with the signature. I’m not sure what key server to use. You may recognize the following commands:
“C:\Program Files\Gnu\GnuPg\gpg.exe” --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659
After importing the key, you can verify that the fingerprint is correct:
“C:\Program Files\Gnu\GnuPg\gpg.exe” --fingerprint 0x416F061063FEE659
You should see:
pub 2048R/63FEE659 2003-10-16
Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
uid Erinn Clark <erinn@torproject.org>
uid Erinn Clark <erinn@debian.org>
uid Erinn Clark <erinn@double-helix.org>
sub 2048R/EB399FD7 2003-10-16
To verify the signature of the package you downloaded, you will need to download the “.asc” file as well. Assuming you downloaded the package and its signature to your Desktop, run:
“C:\Program Files\Gnu\GnuPg\gpg.exe” --verify C:\Users\Alice\Desktop\file.exe.asc C:\Users\Alice\Desktop\file.exe
Thank you.
You’re welcome! 
BTW, most keyservers synchronize with each other, so it really matters little which one you choose. I just updated my key last night on one server and today the new version is on all of the popular servers.
Regards,
Sean C.