[Announce] sha1sum for MS Windows released

Werner Koch wk at gnupg.org
Thu Dec 9 17:16:22 CET 2004


Hi!

In the light of the recently found weaknesses in the MD5 hash function
we won't anymore accompany software announcements with MD5 checksums.
Instead SHA-1 checksums will be given.

All modern GNU/Linux systems are featuring a sha1sum tool, similar to
the md5sum too, so this there should be no problem checking the
checksums on these platforms.  For MS Windows no such tool is
available. To solve this problem, I wrote a simple sha1sum tool and
uploaded it along with a MS Windows binary (sha1sum.exe) to the GnuPG
ftp servers.  The source is also available and maybe used to check the
correctness or to build own binaries.  It should build on all
platforms.

There is of course a catch-22 in that you won't be able to check the
integrity of that tool without using it.  So you need to rely on other
ways of checking this tool; one possibility is to send it to a friend
and ask the friend to check the gpg signature for you.

Get it from ftp.gnupg.org at:

 ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe  (20k)
 ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe.sig

 ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.c (9k)
 ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.c.sig

Usage is:

  sha1sum <files>

This version of sha1sum does not feature the -c (--check) option so
that you have to compare the printed checksums using our own eyes.

Please note that if you already have a working GnuPG installation it
is better to check the integrity of a package using the GnuPG
generated signature which is usually in files sufficed with ".sig",
".sign", or ".asc".  Using the checksum is only way to bootstrap an
installation.  The sha1sum utility might also be useful to verify
software which does does come with a gpg signature.

Happy hacking,

  Werner


-- 
Werner Koch                                      <wk at gnupg.org>
The GnuPG Experts                                http://g10code.com
Free Software Foundation Europe                  http://fsfeurope.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : /pipermail/attachments/20041209/9fcf47cf/attachment.pgp


More information about the Gnupg-announce mailing list