Checking an installer’s hash/digest is a good best practice, but Windows doesn’t have a built-in program for it. While PowerShell scripts can do these calculations, the commands are verbose and I don’t like PowerShell anyway. Enter Gpg4win…

Gpg4win is a email and file encryption package for Windows that includes the Gnu Privacy Guard. It implements the OpenPGP standard and is widely used to sign, verify, encrypt, and decrypt files.

--print-md is a command to calculate a hash using md5, sha1, sha256, and more:

  • gpg --print-md md5 .\setup.exe
  • gpg --print-md sha1 .\setup.exe
  • gpg --print-md sha256 .\setup.exe

Or use the * parameter to show all formats:

  • gpg --print-md * .\setup.exe