or Create a profile

Home Knowledge Base Tutorials

How to verify the downloaded GPG Suite?

Verify SHA256 checksum

Verification possible without gpg installed:

  1. download GPG Suite
  2. open Terminal app (easiest to find via Spotlight, an icon located in the top right of your menubar)
  3. paste shasum -a 256 then press spacebar to add a space
  4. drag downloaded GPG Suite dmg file into Terminal
  5. press enter

The resulting SHA256 checksum must match the SHA256 checksum on https://gpgtools.org.

Verify signature

Verification possible with gpg installed on your system.

We sign each release with our team key. To verify the signature:

  1. download GPG Suite
  2. download GPG Signature from https://gpgtools.org
  3. if GPG Suite is already installed on your system skip this step, as our public key comes pre-installed with GPG Keychain. Otherwise import our public key
  4. both dmg and sig file must be located in the same folder
  5. double-click the signature file and GPG Services will show the verification result

Verification_untrusted_notifcation.png

Click notification for details:
Verification_untrusted_dialog.png

Untrusted signature is expected and nothing to worry about. This KB-article explains how to verify and sign a key so that key becomes trusted.

In case our public key has expired, which is expected since it uses an expiration date and there is no automatic update check in GPG Keychain to update all keys just select the public key for team@gpgtools.org (Fingerprint 85E3 8F69 046B 44C1 EC9F  B07B 76D7 8F05 00D0 26C4) and press Cmd + U or select Key > Update from Key Server from the menu bar. Then the key should be updated and valid again. Should that not be the case please open a new discussion.

Verify signature of any file

Signing releases is common and it is routine to verify the signature for downloaded files when using software like Tor Browser or Tails.

  1. download file
  2. and corresponding gpg signature file
  3. import public key, matching the secret key used to generate the signature of the file you are looking to verify, into GPG Keychain
  4. to ensure the correct public key is used, please compare the fingerprint given on the developers website with the fingerprint of the imported key
  5. make sure that signature file and file you are looking to verify are located in the same folder
  6. double-click the signature file and GPG Services will show the verification result

Is this article helpful?

Section:
Tutorials
Last Updated:
04 Feb, 2026 09:53 PM

Recent Discussions

13 Feb, 2026 06:55 PM gpg/dirmngr issues with keyserver.ubuntu.com
11 Feb, 2026 03:35 PM Cannot decrypt messages if signature cannot be verified due to missing public key
06 Feb, 2026 12:42 AM GPG Keychain: GPG Key Chian Selection issue
05 Feb, 2026 06:40 AM invalid signature when signed message contains another signed message embedded within
27 Jan, 2026 03:12 AM I lost my paraphrase — is there any way to retrieve my previous paraphrased

Recent Articles

How to verify the downloaded GPG Suite?
How to decrypt an email when no internet connectivity is available
What does the status bubble in GPGMail indicate?
Modification Detection Code (MDC) Errors
OpenPGP solutions for all operating systems