Are SHA1 sums on checked regularly?

takethebus at takethebus at
Thu Jul 25 21:33:09 CEST 2013

Hi everybody,

SHA1 sums of gnupg software are published and it is said:

"To be sure that this page has not been tampered, you may want to 
compare the list below with the one included in the announcement mail 
posted to several mailing list".

Which mailing lists are meant? Can't emails be tempered, too? If I've 
just downloaded gnupg and if I'm not on any mailing list, what can I do? 
I feel it would be nice to add the following lines to the descrition on 
the homepage:

"The authors of gnupg keep an offline copy of the SHA1 sums of their 
programs and try to compare them with the SHA1 sums presented here every 
week. Thus, if you have been comparing your SHA 1 sum with the one on 
the homepage for several days and they matched every time, you can be 
rather sure your version of gnupg has not been tampered."

My question now is: Does such a check realy take place and if so, how 
often is it preformed?

Further I feel the following lines should be added to the homepage, 
especialy because it might be useful for windows users:

"In order to calculate the SHA1 sums you should at least use two 
different programs. On the internet many free programs can be found 
which can be used for that."

What do you think? I'm grateful for answers.

More information about the Gnupg-users mailing list