Packages and applications downloaded from the internet could have malware added to them and it’s important we verify the packages we are downloading from the internet, this is now more necessary as we have so many opensource packages available and these packages can easily be tampered with or downloaded similar packages from unofficial repositories could contain harmful code in it.
Luckily, Packages from trusted open-source sites provide gpg signature which can be used to check and validate the authenticity of the packages
if you have installed git for windows, git comes with a git bash command which contains gpg package and the same can be used for validating the packages.
verifying emacs package downloaded from official gnu mirror.
$ gpg --verify emacs-28.1-installer.exe.sig emacs-28.1-installer.exe
gpg: Signature made Fri Apr 22 01:41:02 2022 IST
gpg: using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key