gnupg installation and verification

[john doe]

On 6/7/2019 9:13 PM, Samir Zulfiquar wrote:
> Hello I just downloaded gnupg and tried to install and verify it.
> Unfortunately I hardly know how to do anything with a computer other than
> the basics, so maybe I just didn't interpret the instructions correctly. I
> downloaded the installer and the open pgp signature to verify it (I have no
> clue what a pgp signature even is). after I downloaded both I opened the
> pgp signature file which didn't seem to do much other than bring up text of
> some sort of code. I then installed gnupg, but I wasn't sure if I verified
> it correctly. so I decided to try again. I looked at the website again and
> tried right clicking on the gpg4win-3.1.8 file and went to "moreGpgEX
> options" and clicked verify. The computer tried to verify it with the pgp
> signature file but failed. I then went to the wiki page on integrity
> checks. Most of the things there were too technical for me to understand.
> the only thing I was able to do is check the file length, which was exactly
> what it was supposed to be. It dose not seem like there were any download
> problems, but I highly doubt it could be an attacker like the website said
> (I downloaded both of the files from gnupg's own website and not some other
> place) Anyway could someone explain in Leyman's terms what to do? Sorry if
> the question sounds stupid.
>
>

If you don't have access to an other instance of gpg, you don't have any
other choise then to first install gpg4win and 'verify' if the
downloaded executable has not been tempered with.
That is, what you have already done.

You should familiorize your self with 'checksum' 'gpg signature
verification', the below URL is a start:

https://security.stackexchange.com/questions/189000/how-to-verify-the-checksum-of-a-downloaded-file-pgp-sha-etc

--
John Doe