GPG (GNU Privacy Guard) lets you verify that a downloaded file was signed by the developer who claims to have published it. It’s one of the strongest assurances you can get that a file hasn’t been tampered with. This guide walks through the entire process on Windows, from installation to verification.
Why GPG Verification Matters
Checksums verify integrity (the file wasn’t corrupted or altered), but they don’t verify authenticity (the file came from who you think it did). If an attacker compromises a download server, they can replace both the file and its checksum.
GPG signatures solve this: they prove the file was signed by a specific private key. As long as you trust that the public key belongs to the developer, a valid signature confirms authenticity.
For a broader overview of verification methods, see Verifying Downloads in 2026.
Step 1: Install Gpg4win
Gpg4win is the standard GPG distribution for Windows.
- Download from gpg4win.org
- Verify the download:
- Check the SHA-256 checksum listed on the download page
- Use PowerShell:
Get-FileHash gpg4win-*.exe -Algorithm SHA256 - See How to Verify Checksums for details
- Run the installer — the default components (GnuPG, Kleopatra) are sufficient
- Verify the installation:
gpg --version
You should see the GnuPG version and supported algorithms.
Step 2: Understand the Trust Model
GPG uses public-key cryptography:
- The developer holds a private key (secret) and uses it to sign files
- The developer publishes a public key for anyone to download
- You import the public key and use it to verify signatures
- If the signature is valid, the file hasn’t been altered since the developer signed it
The critical question is: how do you know the public key actually belongs to the developer? This is solved by:
- Downloading the key from the developer’s official website (via HTTPS)
- Verifying the key fingerprint against what the developer publishes on multiple channels
- Using key servers where keys can be cross-signed by other trusted parties
Step 3: Import the Developer’s Public Key
From a File
If the developer provides a .asc or .gpg key file:
gpg --import developer-signing-key.asc
From a Key Server
If the developer provides a key ID:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 0xKEYID
From GitHub
Many developers publish their keys in their GitHub profile or repository:
curl -sL https://github.com/username.gpg | gpg --import
Step 4: Verify the Key Fingerprint
This is the most important step. After importing, verify the fingerprint:
gpg --fingerprint [email protected]
Compare the output fingerprint character-by-character with the fingerprint published on:
- The developer’s official website (over HTTPS)
- Their verified social media profiles
- Their GitHub profile
- Security audit reports or documentation
If the fingerprints match, you can trust the key.
Step 5: Verify a Download
Most GPG-signed software includes either a .sig or .asc signature file alongside the download.
Detached Signature (.sig or .asc)
gpg --verify software-1.0.exe.sig software-1.0.exe
Reading the Output
Good signature:
gpg: Signature made 03/15/26 14:32:00 GMT
gpg: using RSA key ABCDEF1234567890
gpg: Good signature from "Developer Name <[email protected]>"
Bad signature (tampered file):
gpg: BAD signature from "Developer Name <[email protected]>"
Unknown key:
gpg: Can't check signature: No public key
If you see “BAD signature,” do not use the file. If you see “No public key,” you need to import the developer’s key first.
Step 6: Handle Trust Warnings
You may see:
gpg: WARNING: This key is not certified with a trusted signature!
This means you haven’t formally marked the key as trusted in GPG’s trust database. It doesn’t mean the signature is invalid — just that GPG can’t automatically confirm the key belongs to who it claims. If you’ve manually verified the fingerprint (Step 4), the signature is still reliable.
To suppress this warning for keys you’ve verified:
gpg --edit-key [email protected]
> trust
> 4 (I trust fully)
> quit
Practical Example: Verifying VeraCrypt
VeraCrypt provides GPG signatures for all downloads:
- Download the VeraCrypt installer and its
.sigfile from veracrypt.fr - Import the VeraCrypt signing key:
gpg --import VeraCrypt_PGP_public_key.asc - Verify:
gpg --verify VeraCrypt_Setup_1.26.exe.sig VeraCrypt_Setup_1.26.exe - Confirm “Good signature”
Quick Reference: GPG Verification Commands
| Task | Command |
|---|---|
| Import a key file | gpg --import key.asc |
| Import from keyserver | gpg --keyserver hkps://keys.openpgp.org --recv-keys KEYID |
| List imported keys | gpg --list-keys |
| Check fingerprint | gpg --fingerprint KEYID |
| Verify a signature | gpg --verify file.sig file |
| Delete a key | gpg --delete-keys KEYID |
Key Takeaways
- GPG verification confirms both integrity and authenticity of downloads
- Always verify the key fingerprint against multiple sources before trusting it
- ”Good signature” means the file is authentic; “BAD signature” means stop immediately
- Make GPG verification a habit for security-critical software
For safe download practices beyond GPG, see Avoiding Trojanised Installers.
Further Reading
- GnuPG Documentation — Official reference
- Gpg4win Compendium — Detailed Windows guide
- OpenPGP Key Server — Key discovery and publication
- CISA — Software integrity verification — Government guidance
- NIST SP 800-57 — Key Management — Cryptographic key best practices