I started with using GPG4Win for veryfying the signed installers as recommended by a.o. Keepass and Veracrypt.
After some time I got it working, and now noticed that GPG4win should also be able to verify the checksums that come with the installers.
As using GUI-based verification (right-click-verify) could a lot of time in theory, I though I try out this nifty feature. However, for the first day, I could not get it to work, nor find any information on how to use it as most Googled tutorials explain how to use GPG4Win/Kleopatra for signature verification, not for hash verification.
It is not mentioned in your Documentation/compandium, and the Wiki entry is empty
https://wiki.gnupg.org/GpgEX
I finally found a site that explained that the file should be named sha1sum.txt and on the format shasum space space filename, and from there on got it to work on a few keys.
I wrote a ’ tutorial’ for myself of what worked and did not work, and thought I’d share it here. Please tell me if what I found is correct or not. (And if it is correct, please use it to update your wiki. In my search for an answere I found more people struggling how to use it).
Tried on Win10 with WinGPG 2.3.2 and gpg4win-3.0.0-beta279
PS:
Of course, once I got here to post I found THIS tutorial, which rejects most of what I found, as it allows a PGP signature in a differently named sha file…
https://www.howtogeek.com/246332/how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with/
==================
Use only on sha1sum.txt; right-click: More GpgEx Options> Verify checksum.
Do NOT use on file to be verified, it will give an error.
A checksum file contains the sha1 hash, followed by TWO spaces, followed by the filename, finishing with a RETURN and empty line
Creating a (new) Checksum WILL overwrite the current file WITHOUT asking.
The checksum file MUST be named ‘sha1sum.txt’
The file MAY contain multiple checksums/filenames
The filename MAY include the directory the file is in
The hash MUST be a sha1 hash (not SHA256, 512, md5 etc)
the hash MAY NOT contain spaces
Examples
Right: sha1sum.txt
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 C:/Users/USER/Downloads/KeePass-2.36-Setup.exe
OR:
sha1sum.txt
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe
26c38609dd4e67bbee65091d09f35356dcac0b58 C:/Users/USER/Downloads/gpg4win-2.3.4.exe
WRONG: Filename
Keepass.txt
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe
WRONG: no empty line
sha1sum.txt
5cecfa817642ea40a84e70ef6c7822a41b7aeb77 KeePass-2.36-Setup.exe
WRONG: spaces
sha1sum.txt
B10B1397 97E2604E 6F14B35C 96A6B07C 658272D2 KeePass-2.36.zip
WRONG: SHA256 hash not sha1 hash
sha1sum.txt
5FB46A14E19B47E354E3E7D36C9A85965D62A2D181AC746CFF33053A521A77B1 KeePass-2.36.zip
Wrong: everything
<KeePass-2.36.zip>
MD5 : 79E4A9E6 DAEBEC2E 0319E650 08E7C2CD
SHA1 : B10B1397 97E2604E 6F14B35C 96A6B07C 658272D2
SHA256 : 5FB46A14 E19B47E3 54E3E7D3 6C9A8596
5D62A2D1 81AC746C FF33053A 521A77B1
Size64 : 00000000 002F52FD