Verifying and checksumming new release is somewhat cumbersom

Stefan Claas spam.trap.mailing.lists at
Fri Nov 27 23:07:12 CET 2020

On Thu, Nov 26, 2020 at 9:18 PM Werner Koch via Gnupg-users
<gnupg-users at> wrote:
> Hi,
> and thanks for asking.
> On Thu, 26 Nov 2020 19:12, john doe said:
> > Is there a URL to download those sha1sums and those public keyss as  files?
> The problem with sha1sums is that a single publication would be easy to
> fake.  The only known countermeasure is to widely distribute them.  We
> do have them on the website as you noticed, they are send out by signed
> mail to several thousand subscribers, and our and other mail archives
> carry the release announcement with the checksums.
> No, there is no single file with the checksums because that would be a
> too easy target for an attacker.

Maybe not common among programmers, but you could easily clearsign
the shasums text file and then use a public time stamping service additionally,
thus first time users would know that the signed shasums file would have been
actually signed at day x time y, if you would also provide the .ots file.


More information about the Gnupg-users mailing list