Hi Eli

Thanks for pointing out the announcement email
Unfortunately it doesn't include the SHA hashes for the windows files

Also verify the signature on windows I am not sure if this is the expected output
for me look like it failed

From command line

PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz@gnu.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key
PS C:\downloads>

From UI

[cid:ffde0eec-a938-43f4-acc5-c100d4e99514]

I think adding the SHA hashes somewhere remains a valuable addition
using and verifying signature on windows is more complicated than it needs to be

Regards
Ali

________________________________
From: Eli Zaretskii <eliz@gnu.org>
Sent: May 27, 2022 8:28 AM
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: shishini@outlook.com <shishini@outlook.com>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

> Cc: 55666@debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi@gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
>
> Ali Elshishini <shishini@outlook.com> writes:
>
> > May you please include a list of SHA-256 hashes for the downloads in
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key
> >
> > A SHA-256 hash will be a simple solution
>
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
>
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.

In addition, one can find the SHA values in the announcements made on
info-gnu-emacs.  Here's the one about Emacs 28.1:

  https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html

You can similarly search for announcements of the older releases.