Verifying GPG .exe without https:// connection?


I the GPG .exe for Windows and wanted to verify the SHA1 hash using the standard Windows fciv.exe utility. That worked fine, however I noticed that the website from where I downloaded it is not https:// by default and when I force it to https:// it warns that the certificate is not signed by a trusted cert authority. What is the best practice for verifying the download given the fact that someone can modify the packets of a non-https:// connection?

thanks - Matt


I’ve been trying to think of a way to accomplish this and the only thing I can come up with is to find an individual whom you trust and who can verify the hash for you via a separate channel such as over the phone, etc. I know this is probably very difficult, but difficulty is an unfortunate characteristic of good security.

Hopefully someone smarter than me can come up with another possibility?

-Sean C.

Matt, Sean,

you may have noticed that we have used a codesigning certificate to sign the installer,
this is as safe as using an TLS certificate. (Maybe even slightly safer because Microsoft accepts less codesigning certificates than TLS certificate if I remember correctly.)

You could try to build a web of trust connection, searching for an OpenPGP certificate that you know that signed the distribution OpenPGP certificate, this tool can help you find it:

Best Regards,
ps.: Like my response?
I appreciate if you flattr Gpg4win at Thanks!