SHA1 collision found

Melvin Carvalho melvincarvalho at
Fri Feb 24 16:43:37 CET 2017

On 23 February 2017 at 19:24, <sivmu at> wrote:

> Today was announced that SHA1 is now completely broken
> sha1-collision.html

This is nonsense.

Google security team calling sha1 "completely broken" simply means google's
security team is completely broken.

Fearmongering like this unhelpful to the open source community.

GPG is sound because you can only find a collision which is no big deal and
we knew already, but you cannot compromise a hash.

This simply wastes everyone's time.

> A few weeks back it was mentioned that there is a new proposal for a
> openpgp standart including a new algorithm for pgp fingerprints.
> As this is currently not applicable in practice, I would like to know what
> this new development means for pgp-gnupg and the use of SHA1 for key
> identification.
> After researching how the fingerprint is generated, I think it would be
> easy to include a new option in gnupg to print a fingerprint using sha256.
> Would that be something that will/can be included in future versions of
> gnupg?
> That way users could publish both the sha1 and sha256 finderprint in the
> future.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170224/c5eaf046/attachment.html>

More information about the Gnupg-users mailing list