You can check that the version of GnuPG that you want to install is original and unmodified by either verifying the file's signature or comparing the checksum with the one published in the release announcement.

If you already have a trusted version of GnuPG installed, you can check the supplied signature. For example, to check the signature of the file gnupg-2.2.44.tar.bz2, you can use this command:

$ gpg --verify gnupg-2.2.44.tar.bz2.sig gnupg-2.2.44.tar.bz2

Note: you should never use a GnuPG version you just downloaded to check the integrity of the source — use an existing, trusted GnuPG installation, e.g., the one provided by your distribution.

If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key

If you instead see:

gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06

then you have a copy of our keys and the signatures are valid, but either you have not marked the keys as trusted or the keys are a forgery. In this case, at the very least, you should compare the fingerprints that are shown to those on the signing keys page. Even better is to compare the fingerprints with those shown on our business cards, which we handout at events that we attend.

Ideally, you'll see something like:

gpg: Signature made Fri 09 Oct 2015 05:41:55 PM CEST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
gpg: Signature made Tue 13 Oct 2015 10:18:01 AM CEST using RSA key ID 33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" [full]

This means that the signature is valid and that you trust this key (either you signed it or someone you trusted did).

If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software.

Assuming you downloaded the file gnupg-2.2.44.tar.bz2, you can run the sha1sum command like this:

sha1sum gnupg-2.2.44.tar.bz2

and check that the output matches the SHA-1 checksum reported on this site. An example of a sha1sum output is:

69c46d974e384839519acf0af762077f79def37f  gnupg-2.2.44.tar.bz2

For your convenience, all SHA-1 check-sums available for software that can be downloaded from our site, have been gathered below.

2d510a1a7294f2f9ef3f2e280c93c3ad9b0cdb68  gnupg-2.4.7.tar.bz2
dc6c234c76747a5ac078fe5d5300c926e2de57e2  gnupg-w32-2.4.7_20241125.exe
ca4502c7153ff18670668fbe687d96dc633f23bf  gnupg-2.5.6.tar.bz2
d5ba24e7f1996dc14e49d4573d73af6a4ca2f455  gnupg-w32-2.5.6_20250508.exe
69c46d974e384839519acf0af762077f79def37f  gnupg-2.2.44.tar.bz2
cf46f64db276fd8f097fe7ef5f3ff3ebf93218b9  gnupg-w32-2.2.44_20240812.exe
bf4c6725382f267b9000847db78a00174e08cb28  gnupg-desktop-2.4.3.0.tar.xz
28e216f7e10639eb1898be9bca35d13f3e0aab36  gnupg-desktop-2.4.3.0-x86_64.AppImage
d275a092181f08af0ef5e7b247a1a9a0ca7cb160  libgpg-error-1.55.tar.bz2
d33eb270cd74e8c23e263eb5cdb8f7de740f7b49  libgcrypt-1.11.1.tar.bz2
14715e6690bc9f81d7ef17ea58805186b022f75a  libgcrypt-1.8.11.tar.bz2
781acfb012cbb5328f41efcf82f723524e8d0128  libksba-1.6.7.tar.bz2
57fb6f59b1a07e5125115454f5ad4cb0665e0eef  libassuan-3.0.2.tar.bz2
ae52b4d49e17f17951655512949f745385804faf  ntbtls-0.3.2.tar.bz2
6f60ce8540453e120d715f269d0c7cfd9e0b0d24  npth-1.8.tar.bz2
fb0bbb88211558c8f7e652b4b6a675b1972fba04  pinentry-1.3.1.tar.bz2
dc1a730bbf4c63286655dcdd4e84f1cc3588d4c0  gpgme-1.24.2.tar.bz2
3f8a0ba9c7821049d51b982141a2330a246beb55  scute-1.7.0.tar.bz2
2e6568911581b8bb35bfef565350a84b3f832a84  gpa-0.11.0.tar.bz2
13747486ed5ff707f796f34f50f4c3085c3a6875  gnupg-1.4.23.tar.bz2
d4c9962179d36a140be72c34f34e557b56c975b5  gnupg-w32cli-1.4.23.exe

For your convenience, all SHA-256 check-sums available for software that can be downloaded from our site, have been gathered below.

7b24706e4da7e0e3b06ca068231027401f238102c41c909631349dcc3b85eb46  gnupg-2.4.7.tar.bz2
caf2904c02c02c94cbe137f01b63e5a43dbea92d27ea66e56f0af4af2c70c170  gnupg-w32-2.4.7_20241125.exe
377f9d79af0ce494c0946dbe7c92197425bb522d7edd6f54acbc9869695131a8  gnupg-2.5.6.tar.bz2
5a024cbeca4082b80969d167b6ea23fad6c5d7f3d572e271214c4e4472cf1e6f  gnupg-w32-2.5.6_20250508.exe
735b8b3e6d2330f66ab98336b060d5852a1a67cb2bc47ec7d1e5411577a8cadd  gnupg-2.2.44.tar.bz2
0454f1e92679b8f7e074c6a043f243e62a8ff9fa737a459ea8a95ad4af0ddb84  gnupg-w32-2.2.44_20240812.exe
81e0800cc090f8f387cee8e59b9f742f2e6d2d81a408414fc051a8df64e37d90  gnupg-desktop-2.4.3.0.tar.xz
4e6592eb820a853804f9bd1f39ee545af712b0cabd0bf4a773ffddaff12fdd33  gnupg-desktop-2.4.3.0-x86_64.AppImage
95b178148863f07d45df0cea67e880a79b9ef71f5d230baddc0071128516ef78  libgpg-error-1.55.tar.bz2
24e91c9123a46c54e8371f3a3a2502f1198f2893fbfbf59af95bc1c21499b00e  libgcrypt-1.11.1.tar.bz2
c98249fb5bb1f6017f5f9bf484327a940b59075bca7c46fa69ebb54098249860  libgcrypt-1.8.11.tar.bz2
cf72510b8ebb4eb6693eef765749d83677a03c79291a311040a5bfd79baab763  libksba-1.6.7.tar.bz2
d2931cdad266e633510f9970e1a2f346055e351bb19f9b78912475b8074c36f6  libassuan-3.0.2.tar.bz2
bdfcb99024acec9c6c4b998ad63bb3921df4cfee4a772ad6c0ca324dbbf2b07c  ntbtls-0.3.2.tar.bz2
8bd24b4f23a3065d6e5b26e98aba9ce783ea4fd781069c1b35d149694e90ca3e  npth-1.8.tar.bz2
bc72ee27c7239007ab1896c3c2fae53b076e2c9bd2483dc2769a16902bce8c04  pinentry-1.3.1.tar.bz2
e11b1a0e361777e9e55f48a03d89096e2abf08c63d84b7017cfe1dce06639581  gpgme-1.24.2.tar.bz2
437fe758b27c243a5ee2535c6b065ea1d09f2c9a02d83567d2f934bb6395c249  scute-1.7.0.tar.bz2
26a8fa5bf70541cb741f0c71b7cfe291b1ea56eab68eeb07aa962cef5cdf33cc  gpa-0.11.0.tar.bz2
c9462f17e651b6507848c08c430c791287cd75491f8b5a8b50c6ed46b12678ba  gnupg-1.4.23.tar.bz2