To check if the file came from a legitimate source, we often need to compare file signature and checksum. But how do we do that? As an example, we will download a Cygwin installation file. Then we will check if the file came from a legitimate source by comparing a public signature provided by the software distributor. We will use gpg utility.

Go to url:

Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for setup-x86_64.exe can be used to verify the validity of this binary using the public key here.

Step 1 – Download and install public key

Save public key to pubring.asc file and add it to local key repository

gpg --import pubring.asc
gpg --list-keys

Step 2 – Download file and signature

Once the public key were installed, you can now download the installation file and corresponding signature file. File convention should look as fallow: setup-x86_64.exe.sig setup-x86_64.exe.

Step 3 – Run file signature verification

Once the files are in place in terminal, run the signature comparison with an installation file.

gpg --verify setup-x86_64.exe.sig setup-x86_64.exe

GPG why is my trusted key not certified with a trusted signature?

Would love your thoughts, please comment.x