SHA-1 checksums to be replaced with something better at ?

Werner Koch wk at
Fri Mar 18 16:57:50 CET 2016

On Fri, 18 Mar 2016 08:21, wk at said:

> I'll look at how we can improve the description on the web page.

Actually the current text does not look too bad:

   If you are not able to use an old version of GnuPG, you can still
   verify the file's SHA-1 checksum.  This is less secure, because if
   someone modified the files as they were transferred to you, it
   would not be much more effort to modify the checksums that you see
   on this webpage.  As such, if you use this method, you should
   compare the checksums with those in release announcement.  This is
   sent to the gnupg-announce mailing list (among others), which is
   widely mirrored.  Don't use the mailing list archive on this
   website, but find the announcement on several other websites and
   make sure the checksum is consistent.  This makes it more difficult
   for an attacker to trick you into installing a modified version of
   the software.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list