SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?
Werner Koch
wk at gnupg.org
Fri Mar 18 16:57:50 CET 2016
On Fri, 18 Mar 2016 08:21, wk at gnupg.org said:
> I'll look at how we can improve the description on the web page.
Actually the current text does not look too bad:
If you are not able to use an old version of GnuPG, you can still
verify the file's SHA-1 checksum. This is less secure, because if
someone modified the files as they were transferred to you, it
would not be much more effort to modify the checksums that you see
on this webpage. As such, if you use this method, you should
compare the checksums with those in release announcement. This is
sent to the gnupg-announce mailing list (among others), which is
widely mirrored. Don't use the mailing list archive on this
website, but find the announcement on several other websites and
make sure the checksum is consistent. This makes it more difficult
for an attacker to trick you into installing a modified version of
the software.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list