verify download

I’d appreciate some help describing how to verify the gpg4win download.

You can download “sha1sum.exe” here:

Place the .exe in your downloads folder (or whatever folder you download to). After downloading Gpg4Win, open the command prompt. Type the following:

C:\Users\Owner>cd downloads
C:\Users\Owner\Downloads>sha1sum gpg4win-2.2.0.exe

You should get this result:

0c7e01c4a39029c6d3fa88c0d1d1f2388fdb5151 gpg4win-2.2.0.exe

If your result is the same, the file is verified.

Sean C.

Thank you very much for the easy to understand directions.

I was also curious how to verify the download with the signature. I’m not sure what key server to use. You may recognize the following commands:

“C:\Program Files\Gnu\GnuPg\gpg.exe” --keyserver x-hkp:// --recv-keys 0x416F061063FEE659
After importing the key, you can verify that the fingerprint is correct:

“C:\Program Files\Gnu\GnuPg\gpg.exe” --fingerprint 0x416F061063FEE659
You should see:

pub   2048R/63FEE659 2003-10-16
      Key fingerprint = 8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659
uid                  Erinn Clark <>
uid                  Erinn Clark <>
uid                  Erinn Clark <>
sub   2048R/EB399FD7 2003-10-16

To verify the signature of the package you downloaded, you will need to download the “.asc” file as well. Assuming you downloaded the package and its signature to your Desktop, run:

“C:\Program Files\Gnu\GnuPg\gpg.exe” --verify C:\Users\Alice\Desktop\file.exe.asc C:\Users\Alice\Desktop\file.exe

Thank you.

You’re welcome! :slight_smile:

BTW, most keyservers synchronize with each other, so it really matters little which one you choose. I just updated my key last night on one server and today the new version is on all of the popular servers.

Sean C.