Installing GPG

I finally got around to installing gpg.

I am exploring several packages from Apache. Instead of using md5, these packages are signed using gpg: http://www.gnupg.org/.

I did not find any free, GUI versions for Windows, so I installed the command-line version: http://www.gnupg.org/download/

I chose the binary version for Windows: GnuPG 1.4.10b compiled for Microsoft Windows.

I entered a recursive loop: How do I verify the binary?

There was a SHA-1 signature added to the download site for the file. Next step: install SHA-1!

I downloaded sha1sum from http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000184.html. It also had a gpg signature file. Recursion again: How do I verify that sha1sum.exe is correct?

Finally, I had to upload the gnupg.zip to a Linux machine that already had sha1sum installed.

The first step is to create a key pair

gpg --gen-key

Then import the keys for people you know or trust. Apache has files that contains key for authors. Be sure to download the file from Apache, not from a mirror.

gpg --import key_file

To test a file, include its .sig file:

gpg --verify file.sig file

---

After verifying, I found another utility for Windows that does MD5 and SHA1.
http://raylin.wordpress.com/2009/03/02/md5-sha-1-checksum-utility/