Integrity Check

In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways.

Using gpg

If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-{{{gnupg_ver}}}.tar.bz2 you would use this command:

gpg --verify gnupg-2.0.22.tar.bz2.sig

This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key.

Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation.

Using sha1sum

If you are not able to use an old version of GnuPG, you have to verify the SHA1 checksum. Assuming you downloaded the file gnupg-2.0.22.tar.bz2, you would run the sha1sum command like this:

sha1sum gnupg-2.0.22.tar.bz2

and check that the output matches the SHA-1 checksum reported on this site. An example of a sha1sum output is:

9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8  gnupg-2.0.22.tar.bz2

To be sure that this page has not been tampered, you may want to compare the list below with the one included in the announcement mail posted to several mailing list.

SHA-1 Sum Summary

For your convenience, all SHA1 sums available for software that can be downloaded from our site, have been gathered below.

a7a7d1432db9edad2783ea1bce761a8106464165  dirmngr-1.1.0.tar.bz2
ead70b47218ba76da51c16b652bee2a712faf2f6  gnupg-1.4.15-1.4.16.diff.bz2
ea40324a5b2e3a16ffb63ea0ccc950a3faf5b11c  gnupg-1.4.16.tar.gz
0bf5e475f3eb6f33d5474d017fe5bf66070e43f4  gnupg-1.4.16.tar.bz2
82079c7c183467b4dd3795ca197983cd2494cec4  gnupg-w32cli-1.4.16.exe
9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8  gnupg-2.0.22.tar.bz2
ffdb5e4ce85220501515af8ead86fd499525ef9a  gpgme-1.4.3.tar.bz2
8bd3826de30651eb8f9b8673e2edff77cd70aca1  libassuan-2.1.1.tar.bz2
f03d9b63ac3b17a6972fc11150d136925b702f02  libgcrypt-1.6.1.tar.bz2
259f359cd1440b21840c3a78e852afd549c709b8  libgpg-error-1.12.tar.bz2
241afcb2dfbf3f3fc27891a53a33f12d9084d772  libksba-1.3.0.tar.bz2
eeee9e80ea02f63bdac1cb03eb1785ab2cd57f90  pinentry-0.8.2.tar.bz2

CC-BY-SA 3.0
These web pages are Copyright 1998--2014 The GnuPG Project¹ and licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. See copying for details.