I don't know what version you'd downloaded but...
Say it's Tomcat7.
In Tomcat7 download page, there's a link to the public key in "Release Integrity" section.
First you should do is to download the KEY file, and import it such like "gpg --import KEY.txt".
(Sorry, I'm not a Windows user. But things should happen almost the same, I hope.)
Maybe you find a warning such like "untrusted key" but it can be ignored.
Then verify it.
This is my result:
$ gpg --verify apache-tomcat-7.0.16.tar.gz.asc apache-tomcat-7.0.16.tar.gz
gpg: Signature made Sat Jun 11 19:52:32 2011 JST using RSA key ID 2F6059E7
gpg: Good signature from "Mark E D Thomas <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A9C5 DF4D 22E9 9998 D987 5A51 10C0 1C5A 2F60 59E7
It says that the file was signed by "Mark E D Thomas <firstname.lastname@example.org>", and seemingly the file can be trusted.
Actually, IIRC that's an MD5 checksum, not an encryption.
Linux comes with a program named "md5sum". Windows doesn't - as far as I know. It's not the kind of thing that Windows typically includes. So for that platform, you'll have to find an md5 checking program on your own.
Customer surveys are for companies who didn't pay proper attention to begin with.