You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.

If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.2.44.tar.bz2, you can use this command:

$ gpg --verify gnupg-2.2.44.tar.bz2.sig gnupg-2.2.44.tar.bz2

Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.

If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key

If you instead see:

gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06

then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.

Ideally, you'll see something like:

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]

This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).

If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.

Assuming you downloaded the file gnupg-2.2.44.tar.bz2, you can run the sha1sum command like this:

sha1sum gnupg-2.2.44.tar.bz2

and check that the output matches the SHA-1 checksum reported on this site. An example of a sha1sum output is:

69c46d974e384839519acf0af762077f79def37f  gnupg-2.2.44.tar.bz2

For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.

c704085aa7cc131a67edd0b7c0c90e5c35ee4adb  gnupg-2.4.8.tar.bz2
c5b3e12f2cfb8771d4f6e089039d84844f6cba70  gnupg-w32-2.4.8_20250514.exe
701bd8fe8789a86cd2b7c27254a2ab837ee4fcfa  gnupg-2.5.9.tar.bz2
0c7814a9ed67c48d0498f42f5a0eeaaf18e29f49  gnupg-w32-2.5.9_20250710.exe
69c46d974e384839519acf0af762077f79def37f  gnupg-2.2.44.tar.bz2
cf46f64db276fd8f097fe7ef5f3ff3ebf93218b9  gnupg-w32-2.2.44_20240812.exe
bf4c6725382f267b9000847db78a00174e08cb28  gnupg-desktop-2.4.3.0.tar.xz
28e216f7e10639eb1898be9bca35d13f3e0aab36  gnupg-desktop-2.4.3.0-x86_64.AppImage
d275a092181f08af0ef5e7b247a1a9a0ca7cb160  libgpg-error-1.55.tar.bz2
d33eb270cd74e8c23e263eb5cdb8f7de740f7b49  libgcrypt-1.11.1.tar.bz2
14715e6690bc9f81d7ef17ea58805186b022f75a  libgcrypt-1.8.11.tar.bz2
781acfb012cbb5328f41efcf82f723524e8d0128  libksba-1.6.7.tar.bz2
57fb6f59b1a07e5125115454f5ad4cb0665e0eef  libassuan-3.0.2.tar.bz2
ae52b4d49e17f17951655512949f745385804faf  ntbtls-0.3.2.tar.bz2
6f60ce8540453e120d715f269d0c7cfd9e0b0d24  npth-1.8.tar.bz2
fb0bbb88211558c8f7e652b4b6a675b1972fba04  pinentry-1.3.1.tar.bz2
0aadc7ee79034052933fa866a70da5f0666bbba7  gpgme-2.0.0.tar.bz2
3e8ef698cf2d577ccf8232f52598cdfc31321348  gpgmepp-2.0.0.tar.xz
8298cc205228a2e14b5698435b31d8dedf6e155a  qgpgme-2.0.0.tar.xz
3f8a0ba9c7821049d51b982141a2330a246beb55  scute-1.7.0.tar.bz2
2e6568911581b8bb35bfef565350a84b3f832a84  gpa-0.11.0.tar.bz2
e7f9be4b461907c00dfd21d23da872ba0638f6ee  gpgme-1.24.3.tar.bz2
13747486ed5ff707f796f34f50f4c3085c3a6875  gnupg-1.4.23.tar.bz2
d4c9962179d36a140be72c34f34e557b56c975b5  gnupg-w32cli-1.4.23.exe

For your convenience, all SHA-256 check-sums available for software that can be downloaded from our site, have been gathered below.

b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616  gnupg-2.4.8.tar.bz2
2cd239a8301c59da3737f44566c8c6f9c1779a148af3561e77fb866a0a90de4e  gnupg-w32-2.4.8_20250514.exe
15ac4ba118a94c2cd8b6443b19731287343e8408dc29f359cbfaf43803ed634e  gnupg-2.5.9.tar.bz2
7c385dcc62e7d4c101d78d5d3f9e5db21754409939c02020a9d0075855c3e063  gnupg-w32-2.5.9_20250710.exe
735b8b3e6d2330f66ab98336b060d5852a1a67cb2bc47ec7d1e5411577a8cadd  gnupg-2.2.44.tar.bz2
0454f1e92679b8f7e074c6a043f243e62a8ff9fa737a459ea8a95ad4af0ddb84  gnupg-w32-2.2.44_20240812.exe
81e0800cc090f8f387cee8e59b9f742f2e6d2d81a408414fc051a8df64e37d90  gnupg-desktop-2.4.3.0.tar.xz
4e6592eb820a853804f9bd1f39ee545af712b0cabd0bf4a773ffddaff12fdd33  gnupg-desktop-2.4.3.0-x86_64.AppImage
95b178148863f07d45df0cea67e880a79b9ef71f5d230baddc0071128516ef78  libgpg-error-1.55.tar.bz2
24e91c9123a46c54e8371f3a3a2502f1198f2893fbfbf59af95bc1c21499b00e  libgcrypt-1.11.1.tar.bz2
c98249fb5bb1f6017f5f9bf484327a940b59075bca7c46fa69ebb54098249860  libgcrypt-1.8.11.tar.bz2
cf72510b8ebb4eb6693eef765749d83677a03c79291a311040a5bfd79baab763  libksba-1.6.7.tar.bz2
d2931cdad266e633510f9970e1a2f346055e351bb19f9b78912475b8074c36f6  libassuan-3.0.2.tar.bz2
bdfcb99024acec9c6c4b998ad63bb3921df4cfee4a772ad6c0ca324dbbf2b07c  ntbtls-0.3.2.tar.bz2
8bd24b4f23a3065d6e5b26e98aba9ce783ea4fd781069c1b35d149694e90ca3e  npth-1.8.tar.bz2
bc72ee27c7239007ab1896c3c2fae53b076e2c9bd2483dc2769a16902bce8c04  pinentry-1.3.1.tar.bz2
ddf161d3c41ff6a3fcbaf4be6c6e305ca4ef1cc3f1ecdfce0c8c2a167c0cc36d  gpgme-2.0.0.tar.bz2
d4796049c06708a26f3096f748ef095347e1a3c1e570561701fe952c3f565382  gpgmepp-2.0.0.tar.xz
15645b2475cca6118eb2ed331b3a8d9442c9d4019c3846ba3f6d25321b4a61ad  qgpgme-2.0.0.tar.xz
437fe758b27c243a5ee2535c6b065ea1d09f2c9a02d83567d2f934bb6395c249  scute-1.7.0.tar.bz2
26a8fa5bf70541cb741f0c71b7cfe291b1ea56eab68eeb07aa962cef5cdf33cc  gpa-0.11.0.tar.bz2
bfc17f5bd1b178c8649fdd918956d277080f33df006a2dc40acdecdce68c50dd  gpgme-1.24.3.tar.bz2
c9462f17e651b6507848c08c430c791287cd75491f8b5a8b50c6ed46b12678ba  gnupg-1.4.23.tar.bz2