Can someone please explain to me how to verify a software signature ? Is gpg4win the correct application for this ? I have had trawled through so much obscure documentation to find out how to do this and still not find the answer surely this should be a simple straight forward procedure ? Anyway I download a software which has a separate .sig file to download which I did. How do I use this to make sure the software is the real developer version ? I downloaded an gpg4win with Kleopatra gui but is seems to be all about certificates I don't really understand all this. I can't import the .sig file because it is not a certificate file type. Edit: Apologies for posting this in the wrong forum I had been reading some posts in this one and forgot to switch to a more relevant one for this topic.