Use an Old Version

• 1). Run a trusted and pre-installed version of GnuPG. Use a version you had downloaded directly from GNU or had received from a friend who had previously tested it.
  
  
• 2). Click on the text box command line. Type the command "gpg -- verify" and the name of a file you have installed. For example, you could use the file " gnupg-1.4.11.tar.bz2.sig," which means you'd type "gpg -- verify gnupg-1.4.11.tar.bz2.sig" and run the command.
  
  
• 3). Let the program run until it is finished. Wait as long as necessary, as the time it takes to check the signature can vary depending on your computer and the program.
  
  
• 4). Read the message that pops up after the program has run. It will state whether or not the signature is good or if it doesn't match. Uninstall the non-trustworthy GnuPG program immediately.
  
  

Using SHA 1 Checksum

• 1). Open the GPG program you are testing, and click on the text command line at the bottom.
  
  
• 2). Type the command "sha1sum" followed by a file name. Use one of the file names from this list: "gnupg-1.4.11.tar.bz2," "gnupg-1.4.11.tar.gz," "gnupg-1.4.10-1.4.11.diff.bz2," "gnupg-w32cli-1.4.11.exe," "gnupg-2.0.17.tar.bz2," "pinentry-0.8.1.tar.gz," "dirmngr-1.1.0.tar.bz2," "gpgme-1.3.0.tar.bz2," "libassuan-2.0.1.tar.bz2," "libgcrypt-1.5.0.tar.bz2," "libgpg-error-1.10.tar.bz2" or "libksba-1.2.0.tar.bz2."
  
  
• 3). Read the result, and double-check the result with the list of possible checksums at the "GnuPG Integrity" website. Each file should only have one sha1sum checksum. Immediately remove your copy of the program if it does not match.