Excuse me for starting a discussion of principles rather than answering your question. I am wondering this is worth the trouble to bother with verification of if not a hash check should be sufficient on the Windows platform. Allow me to explain…
The threat model in mind here is “always verify software signatures”. See:
Not a Whonix specific thing. General security advice. If you skipped that once for any software you ever installed, under that threat model you are under a very high risk. Only going the secure way for installing Whonix has very little gain in security.
In other words, did yo verify all programs you installed on Windows? I.e. perhaps firefox, chrome, vlc, office, whatever you might be using.
If you already installed it previously, that would not undo any system compromise that may have happened during earlier execution.
If you keep downloading and installing applications such as firefox etc. without gpg verification, which is probably what most users do, then gpg verification of Whonix adds little benefit. In the case, that you have not already been compromised by installing unverified software but Whonix server was compromised and you figured out you got the right signing key, and verified Whonix, then this would prevent compromise.
So you tell me.
No amount of nested VMs or otherwise can help to defeat host compromise.
Verify Whonix. Might as well control what you can. Plus Whonix would be a more attractive target for well-armed adversaries than say Minesweeper, or even MS Office (which might compromise too many false positive targets, including perhaps lawmakers). Who would cry foul if a bunch of Whonix users got compromised?
Just download from the main site (or any site - if you’re going to verify the signature anyway). gpg4win has comprehensive documentation including a walkthrough for novices (with screenshots).
Your real problem is what to do after you download it since you have no means of verifying the signature.
I can suggest 2 options assuming that you’ve already installed Virtualbox. (I don’t think Oracle even provides signed binaries - only unsigned checksums.) So that’s bad… but you’re using Windows anyway so… you’ve decided to accept some risks.
1 Make a Linux VM. Download gpg4win.exe in the VM and use gpg on Linux to verify the signature. [You’ll have to learn how to use gpg or some front-end on Linux. You’ll probably want to do this anyway so you can learn more about Linux and experiment with commands (Whonix is based on Debian). Linux also requires less disk space and computing resources than Windows (option #2). Actually if you do this, you don’t even need gpg4win, just use this VM for downloading everything you want to verify.]
2 Make a Windows VM. Download and install gpg4win.exe on your VM. Use gpg4win to verify gpg4win.exe after the fact. If signature checks out, install it to your host. (Or do this on your host without the VM. But if signature is bad, what will you do? Trash the host?)
You are going to have many questions while learning to use Whonix (most of them will not be Whonix-specific at all - meaning you’re going to need other resources to get them answered.) Search engine is a good start: what is cd? what is a directory?