I don't know what version you'd downloaded but...
Say it's Tomcat7.
In Tomcat7 download page, there's a link to the public key in "Release Integrity" section.
First you should do is to download the KEY file, and import it such like "gpg --import KEY.txt".
(Sorry, I'm not a Windows user. But things should happen almost the same, I hope.)
Maybe you find a warning such like "untrusted key" but it can be ignored.
Then verify it.
This is my result:
$ gpg --verify apache-tomcat-7.0.16.tar.gz.asc apache-tomcat-7.0.16.tar.gz
gpg: Signature made Sat Jun 11 19:52:32 2011 JST using RSA key ID 2F6059E7
gpg: Good signature from "Mark E D Thomas <firstname.lastname@example.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7
It says that the file was signed by "Mark E D Thomas <email@example.com>", and seemingly the file can be trusted.
Actually, IIRC that's an MD5 checksum, not an encryption.
Linux comes with a program named "md5sum". Windows doesn't - as far as I know. It's not the kind of thing that Windows typically includes. So for that platform, you'll have to find an md5 checking program on your own.
When it comes to destroying a civilization, gas chambers cannot hold a candle to echo chambers.
Wait for it ... wait .... wait .... NOW! Pafiffle! A perfect tiny ad!
how do I do my own kindle-like thing - without amazon