== Install SignTools ==
The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the [https://developer.microsoft.com/en-us/windows/downloads/sdk-archive Windows SDK archives] for the Windows 10 SDK installer in the below instructions.
[https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe SignTools] is a Windows command-line tool that uses [https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode Authenticode] to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of [https://en.wikipedia.org/wiki/Microsoft_Windows_SDK Mirosoft Windows SDK], which can be can be installed in just a few easy steps. Once installed it can be used to verify the gpg4win package before installation.
{{Box|text=
'''1.''' Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
* Right-click Downloading The Installer → Right-click Save → Right-click Run.
'''2.''' Set the correct path.
After the the installer finishes loading:
* Right-click Continue → choose PATH → C:\Users\\Downloads\Windows Kits\\WindowsSDK → Right-click Next.
'''Figure:''' ''Choose SDK Installation Path''
[[image:sdk_installer_specify_download_path.png]]
'''3.''' Install the necessary SDK package.
The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.
'''Figure:''' ''Select SignTools Package''
[[image:select_sdk_features_for_download.png]]
Once the box to the corresponding package is "checked", right-click Download. Once installation is complete, close the installer.
'''Figure:''' ''Finalized SDK Download''
[[image:sdk_installer_download_complete.png]]
}}
== Download and Verify Gpg4win ==
SignTool can be used to verify the authenticity of the gpg4win package itself.
Note: To simplify the SignTool verification process be sure to download the gpg4win package to the Downloads directory.
{{Box|text=
'''1.''' Download the gpg4win package.
* Navigate to https://files.gpg4win.org
* Scroll down and download the latest version of gpg4win and the corresponding signature. At the time of writing (August 2020) gpg4win-3.1.12.exe was the latest version.
* Since the Intevation CA certificate has been imported, no errors should be encountered when the gpg4win package is downloaded.
'''2.''' Verify the gpg4win package by running SignTool from the command prompt.
To open a command prompt, in the Windows Start Menu, run.
{{CodeSelect|code=
cmd.exe
}}
From the command prompt, change to the Downloads directory.
{{CodeSelect|code=
cd C:\Users\\Downloads
}}
Verify the gpg4win package using SignTool.
{{CodeSelect|code=
signtool verify /pa gpg4win-3-1.12.exe
}}
The following output shows a successful gpg4win verification.
'''Figure:''' ''Successful Verification''
[[image:signtool_verify_gpg4win_success.png]]
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text = '''Warning:''' if verification fails, delete the gpg4win package and repeat the download and verification process again.
}}
}}