Integrity Check
You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.
Verifying the File's Signature
If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.2.27.tar.bz2, you can use this command:
$ gpg --verify gnupg-2.2.27.tar.bz2.sig gnupg-2.2.27.tar.bz2
Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.
If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6 gpg: Can't check signature: No public key gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Can't check signature: No public key
If you instead see:
gpg: Good signature from "Werner Koch (dist sig)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.
Ideally, you'll see something like:
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [full] gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]
This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).
Comparing Checksums
If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.
Assuming you downloaded the file gnupg-2.2.27.tar.bz2, you
can run the sha1sum
command like this:
sha1sum gnupg-2.2.27.tar.bz2
and check that the output matches the SHA-1 checksum reported on
this site. An example of a sha1sum
output is:
d928d4bd0808ffb8fe20d1161501401d5d389458 gnupg-2.2.27.tar.bz2
List of SHA-1 check-sums
For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.
d928d4bd0808ffb8fe20d1161501401d5d389458 gnupg-2.2.27.tar.bz2 9f2ff2ce36b6537f895ab3306527f105ff95df8d gnupg-w32-2.2.27_20210111.exe 66d6270511a48bac0bf347330e7a12c62f3a1ab4 libgpg-error-1.41.tar.bz2 ea79a279b27bf25cb1564f96693128f8fc9f41d6 libgcrypt-1.8.7.tar.bz2 866ab0974e9e7851ab13dc257ecb6517ba339c37 libksba-1.5.0.tar.bz2 55a35918e95566ef94e8843879a7dd3f87de3781 libassuan-2.5.4.tar.bz2 3bbd98e5cfff7ca7514ae600599f0e1c1f351566 ntbtls-0.2.0.tar.bz2 f9d63e9747b027e4e404fe3c20c73c73719e1731 npth-1.6.tar.bz2 693bdf9f48dfb3e040d92f50b1bb464e268b9fb0 pinentry-1.1.0.tar.bz2 5ae07a303fcf9cec490dabdfbc6e0f3b8f6dd5a0 gpgme-1.15.1.tar.bz2 3f8a0ba9c7821049d51b982141a2330a246beb55 scute-1.7.0.tar.bz2 61475989acd12de8b7daacd906200e8b4f519c5a gpa-0.10.0.tar.bz2 e708d4aa5ce852f4de3f4b58f4e4f221f5e5c690 dirmngr-1.1.1.tar.bz2 a7d5021a6a39dd67942e00a1239e37063edb00f0 gnupg-2.0.31.tar.bz2 13747486ed5ff707f796f34f50f4c3085c3a6875 gnupg-1.4.23.tar.bz2 d4c9962179d36a140be72c34f34e557b56c975b5 gnupg-w32cli-1.4.23.exe