Follow the method below from the GnuPG Gpg4win website
OpenPGP signatures
If you upgrade your Gpg4Win version, you already have gnupg installed and you can verify the integrity of the downloaded file, by its OpenPGP signature. To do so, you have to download, next the file, the signature of the file. You’ll find the download-links on the Gpg4Win package integrity site. The ey, with which the files are signed, is also given on that page. You have to import the public key and now you can validate the signature of the file with the command
gpg –verify gpg4win*.exe.sig gpg4win*.exe
Make sure that the non-default GPA component is installed when installing GPG4Win
When running the command:
gpg --verify gpg4win*.exe.sig gpg4win*.exe
You may get the error:
'gpg' is not recognized as an internal or external command,
operable program or batch file.
This can be fixed by updating your PATH variable
Adding the Folder with the Gpg4win Tools to the PATH Variable
This is one method to fix this (from stackoverflow.com):
when you receive this error message, “gpg is not recognized as an internal or external command” then you need to update your PATH variable.
To do this without reboot:
Open up a command prompt window
Paste this in:
SET PATH=%PATH%;C:\Program Files (x86)\GNU\GnuPG
Hit Enter
Another way is to:
Type Environment into Windows Search then click on “Edit the system environment variables”
Click on “Environment Variables”:
Then Select the PATH variable at the top of the dialogue box.
Click Edit
Add
;C:\Program Files (x86)\GNU\GnuPG
to the end of the existing text.
Click OK 3 times.
Then restart your machine and try
gpg --verify gpg4win*.exe.sig gpg4win*.exe
again.
Now after a restart trying again in the command window:
gpg --verify gpg4win*.exe.sig gpg4win*.exe
now gives
E:\My-Valnondat\Foss\Verifying FOSS with signatures and hashes\PGP4Win>gpg --verify gpg4win*.exe.sig gpg4win*.exe
gpg: Signature made 14/10/2022 17:24:16 GMT Summer Time
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Can't check signature: No public key
Search on keys.openpgp.org for the above found EEDSA key 6DAA6E64A76D2840571B4902528897B826403ADA and save the resulting public key:
Start Kleopatra and Import the downloaded public key 6DAA6E64A76D2840571B4902528897B826403ADA.asc
Alternatively Lookup on Server from within Kleopatra and Import:
Click yes:
Click yes to create an OpenPGP certificate for yourself.
Add Name and email address
OpenPGP Certificate made:
Change Certification Trust by right clicking the imported certificate:
Change Trust Level to:
I believe checks are very accurate
Now trying again in the command window:
E:\My-Valnondat\Foss\Verifying FOSS with signatures and hashes\PGP4Win>gpg –verify gpg4win*.exe.sig gpg4win*.exe
gpg: Signature made 14/10/2022 17:24:16 GMT Summer Time
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from “Werner Koch (dist signing 2020)” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
If you certify by right clicking:
Then the command window comes out like this:
E:\My-Valnondat\Foss\Verifying FOSS with signatures and hashes\PGP4Win>gpg --verify gpg4win*.exe.sig gpg4win*.exe
gpg: Signature made 14/10/2022 17:24:16 GMT Summer Time
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from "Werner Koch (dist signing 2020)" [full]
Useful video going through this method:
[…] Install the optional GPA part as shown here […]
This no longer works as GPA has been removed from Gpg4win.
Thank you. I’ve removed the reference to GPA now.