SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?
Werner Koch
wk at gnupg.org
Fri Mar 18 17:02:11 CET 2016
On Fri, 18 Mar 2016 15:45, dkg at fifthhorseman.net said:
> On any modern Windows installation (since Vista at least, i think) there
> is "certutil.exe"
I know but I have also seen on the gpg4win mailing list that people have
problems using it or any other tool.
Also worse than checksums or real signatures, I meanwhile think that an
Authenticode signature would overall improve the situation.
> Right, but surely you wouldn't advocate only displaying the first and
> last few digits of the SHA1 digest just because most people aren't going
> to look at anytihng else. Right?
Ack.
> glad that we at least offer SHA-1, even though it's longer and harder to
> read than MD5, which itself is longer and harder to read than CRC32 :P
Well, MD5 is out of every discussion - despite that not too old OpenSSH
versions still use it for fingerprints by default. But then again, who
really check the fingerprints ;-)
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list