Integrity Check

In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways.

Using gpg

If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.28.tar.bz2 you would use this command:

gpg --verify gnupg-2.0.28.tar.bz2.sig gnupg-2.0.28.tar.bz2

This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by of the signing keys. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key.

Never use a GnuPG version you just downloaded to check the integrity of the source — use an existing GnuPG installation.

Using sha1sum

If you are not able to use an old version of GnuPG, you have to verify the SHA1 checksum. Assuming you downloaded the file gnupg-2.0.28.tar.bz2, you would run the sha1sum command like this:

sha1sum gnupg-2.0.28.tar.bz2

and check that the output matches the SHA-1 checksum reported on this site. An example of a sha1sum output is:

9a1050f72b6c9afe2b4a0a3f2e9dca2abba8e4ef  gnupg-2.0.28.tar.bz2

To be sure that this page has not been tampered, you may want to compare the list below with the one included in the announcement mail posted to several mailing list.

List of SHA-1 check-sums

For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.

9a1050f72b6c9afe2b4a0a3f2e9dca2abba8e4ef  gnupg-2.0.28.tar.bz2
1a345804f34a2acd05c1555e40ddfa297f38438b  gnupg-2.1.7.tar.bz2
dfea3fa2499f64cac223c9329c9f017bc3da11a5  gnupg-w32-2.1.7_20150811.exe
5503f7faa0a0e84450838706a67621546241ca50  gnupg-1.4.19.tar.bz2
d0cf40cc42ce057d7d747908ec21a973a423a508  gnupg-1.4.19.tar.gz
dc03ae4e4c3e8fe0583b37dd6c3124f94246d2f8  gnupg-w32cli-1.4.19.exe
89c961f63469739fe816a56dcdd86c2e1897cace  libgpg-error-1.20.tar.bz2
9456e7b64db9df8360a1407a38c8c958da80bbf1  libgcrypt-1.6.3.tar.bz2
86fe0436f3c8c394d32e142ee410a9f9560173fb  libksba-1.3.3.tar.bz2
23f7ea010983b869f765c36d169dec51c8296cff  libassuan-2.3.0.tar.bz2
11979a6826ef5de73b52fd8c5b84f8321a133e53  pinentry-0.9.5.tar.bz2
21510323495f6220f8f67610c3c27a23d761d43d  gpgme-1.6.0.tar.bz2
9eb07bcceeb986c7b6dbce8a18b82a2c344b50ce  gpa-0.9.7.tar.bz2
a7a7d1432db9edad2783ea1bce761a8106464165  dirmngr-1.1.0.tar.bz2