Integrity Check
You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.
Verifying the File's Signature
If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.2.41.tar.bz2, you can use this command:
$ gpg --verify gnupg-2.2.41.tar.bz2.sig gnupg-2.2.41.tar.bz2
Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.
If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6 gpg: Can't check signature: No public key gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Can't check signature: No public key
If you instead see:
gpg: Good signature from "Werner Koch (dist sig)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06
then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.
Ideally, you'll see something like:
gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [full] gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06 gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]
This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).
Comparing Checksums
If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.
Assuming you downloaded the file gnupg-2.2.41.tar.bz2, you
can run the sha1sum
command like this:
sha1sum gnupg-2.2.41.tar.bz2
and check that the output matches the SHA-1 checksum reported on
this site. An example of a sha1sum
output is:
8683ed39c5707313ff094f4758fbf779112ff0b7 gnupg-2.2.41.tar.bz2
List of SHA-1 check-sums
For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.
d7d021101361a5e1166a6c0cc1731276e7134547 gnupg-2.4.1.tar.bz2 4fcd84cb78c84970bc874c123d223f6521c1e566 gnupg-w32-2.4.1_20230428.exe 8683ed39c5707313ff094f4758fbf779112ff0b7 gnupg-2.2.41.tar.bz2 1de0b24d60e2628e491b1272f5a586aae3ca36f9 gnupg-w32-2.2.41_20221209.exe 82453e937568f783c210c25ba33cd738d95f08cc gnupg-desktop-2.4.0.0.tar.xz 7850e24692d347384b423c0bdf7604372098e7e8 gnupg-desktop-2.4.0.0-x86_64.AppImage 94668233fd7bd8e7c0ec5e363134cd53c575da60 libgpg-error-1.47.tar.bz2 0b9555960d84a09ea14e52360808f2e02e9c12d2 libgcrypt-1.10.2.tar.bz2 e460dd48374a8a6d80aac341759f3b29507b10fa libgcrypt-1.8.10.tar.bz2 7fe6d00b61e85a699a28d0aa309ba0bddcc46f3e libksba-1.6.3.tar.bz2 ec4f67c0117ccd17007c748a392ded96dc1b1ae9 libassuan-2.5.5.tar.bz2 15028002a4c15d47d6037f45637e5ebc73b2ebd1 ntbtls-0.3.1.tar.bz2 f9d63e9747b027e4e404fe3c20c73c73719e1731 npth-1.6.tar.bz2 29daaf45f15cb5b8ec9b4a06284343f7a87082fb pinentry-1.2.1.tar.bz2 369deeec95f1bb77fafc0b6c8fa65995ba82fd1e gpgme-1.20.0.tar.bz2 3f8a0ba9c7821049d51b982141a2330a246beb55 scute-1.7.0.tar.bz2 61475989acd12de8b7daacd906200e8b4f519c5a gpa-0.10.0.tar.bz2 13747486ed5ff707f796f34f50f4c3085c3a6875 gnupg-1.4.23.tar.bz2 d4c9962179d36a140be72c34f34e557b56c975b5 gnupg-w32cli-1.4.23.exe
List of SHA-256 check-sums
For your convenience, all SHA-256 check-sums available for software that can be downloaded from our site, have been gathered below.
76b71e5aeb443bfd910ce9cbc8281b617c8341687afb67bae455877972b59de8 gnupg-2.4.1.tar.bz2 6f6d09fb7852a0a10082c26ca92a2b6b4a02c5367c55d8e1c4272c42054958da gnupg-w32-2.4.1_20230428.exe 13f3291007a5e8546fcb7bc0c6610ce44aaa9b3995059d4f8145ba09fd5be3e1 gnupg-2.2.41.tar.bz2 72f24a6be29971951ca2cf5d42bb2fc4f25836389ce6afa8636ac1f402ad93bf gnupg-w32-2.2.41_20221209.exe cec8cfed0b21621c1e46cd333e573f47a1abcbf5a7f6debc4e010167a621da41 gnupg-desktop-2.4.0.0.tar.xz 5a5bf8c1a436e7239ba62cfa5cac42cb64a241b8e60d7e08cb9da50bf453754d gnupg-desktop-2.4.0.0-x86_64.AppImage 9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb libgpg-error-1.47.tar.bz2 3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03 libgcrypt-1.10.2.tar.bz2 6896915501f951e23d02dcb0453469c2cc22aa4d77a001ff73a2647c2d29e7dd libgcrypt-1.8.10.tar.bz2 3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c libksba-1.6.3.tar.bz2 8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4 libassuan-2.5.5.tar.bz2 8922181fef523b77b71625e562e4d69532278eabbd18bc74579dbe14135729ba ntbtls-0.3.1.tar.bz2 1393abd9adcf0762d34798dc34fdcf4d0d22a8410721e76f1e3afcd1daa4e2d1 npth-1.6.tar.bz2 457a185e5a85238fb945a955dc6352ab962dc8b48720b62fc9fa48c7540a4067 pinentry-1.2.1.tar.bz2 25a5785a5da356689001440926b94e967d02e13c49eb7743e35ef0cf22e42750 gpgme-1.20.0.tar.bz2 437fe758b27c243a5ee2535c6b065ea1d09f2c9a02d83567d2f934bb6395c249 scute-1.7.0.tar.bz2 95dbabe75fa5c8dc47e3acf2df7a51cee096051e5a842b4c9b6d61e40a6177b1 gpa-0.10.0.tar.bz2 c9462f17e651b6507848c08c430c791287cd75491f8b5a8b50c6ed46b12678ba gnupg-1.4.23.tar.bz2