Umm... that's how I do it, only with command line programs:
First of all, it's the SHA256SUMS.asc
file that needs to be verified, not the executable itself:
gpg --import c:\wherever\gavinandresen.asc
gpg --verify c:\wherever\sha256sums.asc
When gpg is happy (gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <email@example.com>"
) you can take a peek inside the SHA256SUMS.asc file.
You will find, amongst other things, this line:
What it tells you, is that the current Bitcoin installer package for Windows has a SHA256 checksum of 6943830d0cc1e6514297d761017007c23da365c6b4f0e8e769a5a131825e5b32.
The digital signature guarantees this information is correct and has not been tampered with.
Now let's calculate the checksum of the actual installer:
is a great and free GUI tool you can use to calculate pretty much any checksum you need.