SHA-1 vs. SHA-256 checksums (was: Different SHA1 Checksum using Microsoft file checksum integrity verifier)

Daniel Kahn Gillmor dkg at
Sun Jan 24 20:30:07 CET 2016

On Sun 2016-01-24 13:55:38 -0500, Werner Koch wrote:
> If you talk to people on how they verify SSH fingerprints (that is even
> MD5 for most installations)

SSH key fingerprints are a different thing than software distribution
checksums because the material digested in ssh originates entirely from
one party, whereas the software distribution checksums can potentially
be influenced by multiple parties.  

> you will so often hear: “Oh, I look at the first and a few of the
> last digits only”.

right, this is not a cryptographically-strong verification :)

> We can assume that this won't be different for SHA-1 checksums - does
> anyone believe that by switching to SHA-256 they would check many more
> digits?

if they don't check more digits, then we can't help them.  but it'd be
nice to offer a way for people to do a cryptographically-strong check if
they decide to do so.

but in general, i agree with you that published checksums are stopgap
measures at best, mainly fit for detecting corrupted downloads, and not
particularly useful against a targeted attack.

>> Also, the OpenPGP signature published at
>> itself uses SHA1
>> internally.  This is also a bad idea.  signatures published today should
> Yes, that should be fixed because it is easy and not subject to the UX
> problems described above.  FWIW, for GnuPG proper we switched to
> SHA-256 in 2012 (gnupg 1.4.12).
> [1] Right, the GnuPG speedo build script with its signed and published
>     list of package versions also uses SHA-1 and that should be fixed
>     before 2.2.  (filed as bug at 2226)

great, thanks!


More information about the Gnupg-users mailing list