Integrity Check

You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.

Verifying the File's Signature

If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.2.42.tar.bz2, you can use this command:

$ gpg --verify gnupg-2.2.42.tar.bz2.sig gnupg-2.2.42.tar.bz2

Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.

If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key

If you instead see:

gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06

then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.

Ideally, you'll see something like:

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]

This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).

Comparing Checksums

If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.

Assuming you downloaded the file gnupg-2.2.42.tar.bz2, you can run the sha1sum command like this:

sha1sum gnupg-2.2.42.tar.bz2

and check that the output matches the SHA-1 checksum reported on this site. An example of a sha1sum output is:

9b7df61125014ea1ec4afd98d1f68dfebbb8eee7  gnupg-2.2.42.tar.bz2

List of SHA-1 check-sums

For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.

ae0935ead29a2dfa34d6b48d70808652bc3ca73b  gnupg-2.4.5.tar.bz2
9ffe88554341f28e077ef42150b149a851af2fae  gnupg-w32-2.4.5_20240307.exe
9b7df61125014ea1ec4afd98d1f68dfebbb8eee7  gnupg-2.2.42.tar.bz2
0fe114f6df85ec3ff62794bc3d75b81c8cd37d88  gnupg-w32-2.2.42_20231128.exe
bf4c6725382f267b9000847db78a00174e08cb28  gnupg-desktop-2.4.3.0.tar.xz
28e216f7e10639eb1898be9bca35d13f3e0aab36  gnupg-desktop-2.4.3.0-x86_64.AppImage
8bdb504750b4da9e7daffa164cf1ed9900671f32  libgpg-error-1.48.tar.bz2
359e1d01ad2eb9cd2db964ea96ef3712d0c2c649  libgcrypt-1.10.3.tar.bz2
14715e6690bc9f81d7ef17ea58805186b022f75a  libgcrypt-1.8.11.tar.bz2
1db4222e052656700021a30d517f5aa2f882da4a  libksba-1.6.6.tar.bz2
b6ccd955085dac902a09871f94a3d41a7667d0c8  libassuan-2.5.7.tar.bz2
ae52b4d49e17f17951655512949f745385804faf  ntbtls-0.3.2.tar.bz2
a9f7adc1b1f6707071d29bfb3338c28b995ca1ce  npth-1.7.tar.bz2
28effa1722865786cb984f3099a32db40f96ea26  pinentry-1.3.0.tar.bz2
b3a938939a9fb2182684aa9ba094c8e8ecd6167b  gpgme-1.23.2.tar.bz2
3f8a0ba9c7821049d51b982141a2330a246beb55  scute-1.7.0.tar.bz2
61475989acd12de8b7daacd906200e8b4f519c5a  gpa-0.10.0.tar.bz2
13747486ed5ff707f796f34f50f4c3085c3a6875  gnupg-1.4.23.tar.bz2
d4c9962179d36a140be72c34f34e557b56c975b5  gnupg-w32cli-1.4.23.exe

List of SHA-256 check-sums

For your convenience, all SHA-256 check-sums available for software that can be downloaded from our site, have been gathered below.

f68f7d75d06cb1635c336d34d844af97436c3f64ea14bcb7c869782f96f44277  gnupg-2.4.5.tar.bz2
d2ac821ceacf9409ebcdb42ae330087ada30c732981f00b356f9c2f08fac4dc1  gnupg-w32-2.4.5_20240307.exe
9189fbd4ec83ad243a4e499d5cb7fe72e4532176817e5ea880ed36a71dd82557  gnupg-2.2.42.tar.bz2
2087085bb16081f1b6730555b0a1d9b04708548b6b9ce4268fea5e81344390fa  gnupg-w32-2.2.42_20231128.exe
81e0800cc090f8f387cee8e59b9f742f2e6d2d81a408414fc051a8df64e37d90  gnupg-desktop-2.4.3.0.tar.xz
4e6592eb820a853804f9bd1f39ee545af712b0cabd0bf4a773ffddaff12fdd33  gnupg-desktop-2.4.3.0-x86_64.AppImage
89ce1ae893e122924b858de84dc4f67aae29ffa610ebf668d5aa539045663d6f  libgpg-error-1.48.tar.bz2
8b0870897ac5ac67ded568dcfadf45969cfa8a6beb0fd60af2a9eadc2a3272aa  libgcrypt-1.10.3.tar.bz2
c98249fb5bb1f6017f5f9bf484327a940b59075bca7c46fa69ebb54098249860  libgcrypt-1.8.11.tar.bz2
5dec033d211559338838c0c4957c73dfdc3ee86f73977d6279640c9cd08ce6a4  libksba-1.6.6.tar.bz2
0103081ffc27838a2e50479153ca105e873d3d65d8a9593282e9c94c7e6afb76  libassuan-2.5.7.tar.bz2
bdfcb99024acec9c6c4b998ad63bb3921df4cfee4a772ad6c0ca324dbbf2b07c  ntbtls-0.3.2.tar.bz2
8589f56937b75ce33b28d312fccbf302b3b71ec3f3945fde6aaa74027914ad05  npth-1.7.tar.bz2
9b3cd5226e7597f2fded399a3bc659923351536559e9db0826981bca316494de  pinentry-1.3.0.tar.bz2
9499e8b1f33cccb6815527a1bc16049d35a6198a6c5fae0185f2bd561bce5224  gpgme-1.23.2.tar.bz2
437fe758b27c243a5ee2535c6b065ea1d09f2c9a02d83567d2f934bb6395c249  scute-1.7.0.tar.bz2
95dbabe75fa5c8dc47e3acf2df7a51cee096051e5a842b4c9b6d61e40a6177b1  gpa-0.10.0.tar.bz2
c9462f17e651b6507848c08c430c791287cd75491f8b5a8b50c6ed46b12678ba  gnupg-1.4.23.tar.bz2