How to Verify a PGP Signature on Windows 10

Downloading and executing an exe file on Windows is safer when it comes with a PGP signature that you can verify.

How do you check a PGP signature though? I've always avoided it until now, when I needed to make double-certain that a certain installer was the real deal.

Installing the Windows 10 SDK

Unfortunately Windows 10 does not offer any tools out of the box, instead requiring installation of the Windows 10 SDK.

After downloading and installing from the link above, the SignTool utility should become available. This is what you'll be using to verify PGP signatures.

Checking the PGP signature

Let's assume you downloaded a file called installer.exe from whatever website. If the website provided a PGP signature, it will likely be named installer.exe.asc, so download it in the same folder as the .exe.

First, locate the exact path of signtool.exe. Mine ended up in a weirdly-named folder: C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64. You may have multiple folders named similar to 10.0.17763.0. Browse all of them until you find the tool.

Next, open Command Prompt and navigate to the directory where the file (.exe) and its signature (.exe.asc) reside.

Then run this command:

# simplified - when you have signtool in your path
signtool verify /pa installer.exe

# full
C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe verify /pa installer.exe

If the verification succeeded, you will see this message:

Successfully verified: <path>\installer.exe

This guide is based on these instructions, and adapted for my own use-case.