Integrity Check

You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.

Verifying the File's Signature

If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.0.30.tar.bz2, you can use this command:

$ gpg --verify gnupg-2.0.30.tar.bz2.sig gnupg-2.0.30.tar.bz2

Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.

If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key

If you instead see:

gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06

then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.

Ideally, you'll see something like:

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]

This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).

Comparing Checksums

If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.

Assuming you downloaded the file gnupg-2.0.30.tar.bz2, you can run the sha1sum command like this:

sha1sum gnupg-2.0.30.tar.bz2

and check that the output matches the SHA-1 checksum reported on this site. An example of a sha1sum output is:

a9f024588c356a55e2fd413574bfb55b2e18794a  gnupg-2.0.30.tar.bz2

List of SHA-1 check-sums

For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.

a9f024588c356a55e2fd413574bfb55b2e18794a  gnupg-2.0.30.tar.bz2
bc7609a3a0daf0ed0efb22f77b43e82f28e20e34  gnupg-2.1.14.tar.bz2
8871e1b596a208403c7240498fa3d83c33ced4b2  gnupg-w32-2.1.14_20160714.exe
cbc9d960e3d8488c32675019a79fbfbf8680387e  gnupg-1.4.20.tar.bz2
359e464bcabbe370696e3dba45a1d63968c06ab3  gnupg-1.4.20.tar.gz
8f0c4760c9f38102f64a156744ec8a428298b92d  gnupg-w32cli-1.4.20.exe
c3e5bd0c3ddea647416b429cd8e2ec755bad9d9e  libgpg-error-1.24.tar.bz2
85a6a936bcab4c3c05f5efbf6ce847f23d35c0c4  libgcrypt-1.7.2.tar.bz2
bc84945400bd1cabfd7b8ba4e20e71082f32bcc9  libksba-1.3.4.tar.bz2
27391cf4a820b5350ea789c30661830c9a271518  libassuan-2.4.3.tar.bz2
3bfa2a2d7521d6481850e8a611efe5bf5ed75200  npth-1.2.tar.bz2
9bdcf5f4096aa8b26956afb0ecdd3d7849ffa0cd  pinentry-0.9.7.tar.bz2
21510323495f6220f8f67610c3c27a23d761d43d  gpgme-1.6.0.tar.bz2
1cf86c9e38aa553fdb880c55cbc6755901ad21a4  gpa-0.9.9.tar.bz2
e708d4aa5ce852f4de3f4b58f4e4f221f5e5c690  dirmngr-1.1.1.tar.bz2