I’d appreciate some help describing how to verify the gpg4win download.
You can download “sha1sum.exe” here:
Place the .exe in your downloads folder (or whatever folder you download to). After downloading Gpg4Win, open the command prompt. Type the following:
You should get this result:
If your result is the same, the file is verified.
Thank you very much for the easy to understand directions.
I was also curious how to verify the download with the signature. I’m not sure what key server to use. You may recognize the following commands:
“C:\Program Files\Gnu\GnuPg\gpg.exe” --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x416F061063FEE659
After importing the key, you can verify that the fingerprint is correct:
“C:\Program Files\Gnu\GnuPg\gpg.exe” --fingerprint 0x416F061063FEE659
You should see:
pub 2048R/63FEE659 2003-10-16 Key fingerprint = 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659 uid Erinn Clark <firstname.lastname@example.org> uid Erinn Clark <email@example.com> uid Erinn Clark <firstname.lastname@example.org> sub 2048R/EB399FD7 2003-10-16
To verify the signature of the package you downloaded, you will need to download the “.asc” file as well. Assuming you downloaded the package and its signature to your Desktop, run:
“C:\Program Files\Gnu\GnuPg\gpg.exe” --verify C:\Users\Alice\Desktop\file.exe.asc C:\Users\Alice\Desktop\file.exe
BTW, most keyservers synchronize with each other, so it really matters little which one you choose. I just updated my key last night on one server and today the new version is on all of the popular servers.