Are SHA1 sums on checked regularly?

Werner Koch wk at
Fri Jul 26 01:12:21 CEST 2013

On Thu, 25 Jul 2013 21:33, takethebus at said:

> Which mailing lists are meant? Can't emails be tempered, too? If I've

The GnuPG mailing list and all the mailing list archives.  If an
attacker would modify the archive on the server, he would also
need to change the independent archives like gmane etc.  I pretty sure
this will be spotted relatively soon.  Oh and well the attacker would
also need to tell you why the signature of the mail does not anymore
check out.

In any case we don't rely on the checksums but on the OpenPGP signatures
which are created by me using a smartcard hosted key.  But see also the
article I mentioned in my other reply.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list