Integrity Check
You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.
Verifying the File's Signature
If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.2.44.tar.bz2, you can use this command:
$ gpg --verify gnupg-2.2.44.tar.bz2.sig gnupg-2.2.44.tar.bz2
Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.
If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6 gpg: Can't check signature: No public key gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Can't check signature: No public key
If you instead see:
gpg: Good signature from "Werner Koch (dist sig)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.
Ideally, you'll see something like:
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [full] gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]
This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).
Comparing Checksums
If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.
Assuming you downloaded the file gnupg-2.2.44.tar.bz2, you
can run the sha1sum
command like this:
sha1sum gnupg-2.2.44.tar.bz2
and check that the output matches the SHA-1 checksum reported on
this site. An example of a sha1sum
output is:
69c46d974e384839519acf0af762077f79def37f gnupg-2.2.44.tar.bz2
List of SHA-1 check-sums
For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.
2d8aa2662c398d60f1f8e0bf46fd163eae703189 gnupg-2.4.6.tar.bz2 6d6b2017152fea4532afe38ce00e38a438b1e4bb gnupg-w32-2.4.6_20241029.exe 1336f00a6d9ff9806a2187bb06e8faf59391b5a2 gnupg-2.5.1.tar.bz2 772dda3a41f7cafd07cad66340fa17becc77687d gnupg-w32-2.5.1_20240912.exe 69c46d974e384839519acf0af762077f79def37f gnupg-2.2.44.tar.bz2 cf46f64db276fd8f097fe7ef5f3ff3ebf93218b9 gnupg-w32-2.2.44_20240812.exe bf4c6725382f267b9000847db78a00174e08cb28 gnupg-desktop-2.4.3.0.tar.xz 28e216f7e10639eb1898be9bca35d13f3e0aab36 gnupg-desktop-2.4.3.0-x86_64.AppImage 0a9386ff70a5d1f771771bf0b8db2b956e292f13 libgpg-error-1.51.tar.bz2 dd2c68e0685bb99249efeeb06046fae15b5214ba libgcrypt-1.11.0.tar.bz2 14715e6690bc9f81d7ef17ea58805186b022f75a libgcrypt-1.8.11.tar.bz2 781acfb012cbb5328f41efcf82f723524e8d0128 libksba-1.6.7.tar.bz2 776aac6fe4a64f29406bb498e0b2b73f2622c799 libassuan-3.0.1.tar.bz2 ae52b4d49e17f17951655512949f745385804faf ntbtls-0.3.2.tar.bz2 6f60ce8540453e120d715f269d0c7cfd9e0b0d24 npth-1.8.tar.bz2 fb0bbb88211558c8f7e652b4b6a675b1972fba04 pinentry-1.3.1.tar.bz2 3d9e8b50c0f20985690e56292fe102312cfc583d gpgme-1.24.0.tar.bz2 3f8a0ba9c7821049d51b982141a2330a246beb55 scute-1.7.0.tar.bz2 61475989acd12de8b7daacd906200e8b4f519c5a gpa-0.10.0.tar.bz2 13747486ed5ff707f796f34f50f4c3085c3a6875 gnupg-1.4.23.tar.bz2 d4c9962179d36a140be72c34f34e557b56c975b5 gnupg-w32cli-1.4.23.exe
List of SHA-256 check-sums
For your convenience, all SHA-256 check-sums available for software that can be downloaded from our site, have been gathered below.
95acfafda7004924a6f5c901677f15ac1bda2754511d973bb4523e8dd840e17a gnupg-2.4.6.tar.bz2 af5866586309418ae2f83f55de6ec96e9f557695a50a0631ccedfebfa708f51e gnupg-w32-2.4.6_20241029.exe 8a34bb318499867962c939e156666ada93ed81f01926590ac68f3ff79178375e gnupg-2.5.1.tar.bz2 98918b55a6e1125ce185adb2268d0bbf1701ae08565e67d1e2f902d7511ad2fd gnupg-w32-2.5.1_20240912.exe 735b8b3e6d2330f66ab98336b060d5852a1a67cb2bc47ec7d1e5411577a8cadd gnupg-2.2.44.tar.bz2 0454f1e92679b8f7e074c6a043f243e62a8ff9fa737a459ea8a95ad4af0ddb84 gnupg-w32-2.2.44_20240812.exe 81e0800cc090f8f387cee8e59b9f742f2e6d2d81a408414fc051a8df64e37d90 gnupg-desktop-2.4.3.0.tar.xz 4e6592eb820a853804f9bd1f39ee545af712b0cabd0bf4a773ffddaff12fdd33 gnupg-desktop-2.4.3.0-x86_64.AppImage be0f1b2db6b93eed55369cdf79f19f72750c8c7c39fc20b577e724545427e6b2 libgpg-error-1.51.tar.bz2 09120c9867ce7f2081d6aaa1775386b98c2f2f246135761aae47d81f58685b9c libgcrypt-1.11.0.tar.bz2 c98249fb5bb1f6017f5f9bf484327a940b59075bca7c46fa69ebb54098249860 libgcrypt-1.8.11.tar.bz2 cf72510b8ebb4eb6693eef765749d83677a03c79291a311040a5bfd79baab763 libksba-1.6.7.tar.bz2 c8f0f42e6103dea4b1a6a483cb556654e97302c7465308f58363778f95f194b1 libassuan-3.0.1.tar.bz2 bdfcb99024acec9c6c4b998ad63bb3921df4cfee4a772ad6c0ca324dbbf2b07c ntbtls-0.3.2.tar.bz2 8bd24b4f23a3065d6e5b26e98aba9ce783ea4fd781069c1b35d149694e90ca3e npth-1.8.tar.bz2 bc72ee27c7239007ab1896c3c2fae53b076e2c9bd2483dc2769a16902bce8c04 pinentry-1.3.1.tar.bz2 61e3a6ad89323fecfaff176bc1728fb8c3312f2faa83424d9d5077ba20f5f7da gpgme-1.24.0.tar.bz2 437fe758b27c243a5ee2535c6b065ea1d09f2c9a02d83567d2f934bb6395c249 scute-1.7.0.tar.bz2 95dbabe75fa5c8dc47e3acf2df7a51cee096051e5a842b4c9b6d61e40a6177b1 gpa-0.10.0.tar.bz2 c9462f17e651b6507848c08c430c791287cd75491f8b5a8b50c6ed46b12678ba gnupg-1.4.23.tar.bz2