SHA-1 checksums to be replaced with something better at ?

Werner Koch wk at
Fri Mar 18 17:02:11 CET 2016

On Fri, 18 Mar 2016 15:45, dkg at said:

> On any modern Windows installation (since Vista at least, i think) there
> is "certutil.exe"

I know but I have also seen on the gpg4win mailing list that people have
problems using it or any other tool.

Also worse than checksums or real signatures, I meanwhile think that an
Authenticode signature would overall improve the situation.

> Right, but surely you wouldn't advocate only displaying the first and
> last few digits of the SHA1 digest just because most people aren't going
> to look at anytihng else.  Right?


> glad that we at least offer SHA-1, even though it's longer and harder to
> read than MD5, which itself is longer and harder to read than CRC32 :P

Well, MD5 is out of every discussion - despite that not too old OpenSSH
versions still use it for fingerprints by default.  But then again, who
really check the fingerprints ;-)



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list