Hi Wyatt-- On Sat 2016-01-23 05:58:49 -0500, W Wong wrote:
> I downloaded the Gpg4win 2.3.0 (Released: 2015-11-25) > from https://www.gpg4win.org/download.html > > I did a checksum using Microsoft file checksum integrity verifier as > follows: on any modern version of windows, you should be able to do checksum verification with certutil.exe using the -hashfile subcommand: https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile > C:\Users\edsw\utility>fciv.exe ..\..\Downloads\gpg4win-2.3.0.exe > // > // File Checksum Integrity Verifier version 2.05. > // > 4a88f90a01b0ba8e3eb0073f7b6a4bfb ..\..\downloads\gpg4win-2.3.0.exe > > The checksum is different from the one announced on the site > > SHA1 checksum (for gpg4win2.3.0.exe): > 88d90ee9a1ea3e66b198ea866063140b882444d5 Note that the lengths are different, which suggests that they might be different digest algorithms entirely. I believe that fciv.exe is calculating the MD5 checksum, while the download site is using the SHA1 checksum. Indeed, i see the MD5 sum matching the value you found with fciv.exe, while the SHA1 sum matches the published data: 0 dkg@alice:~$ gpg2 --print-md MD5 < gpg4win-2.3.0.exe 4A 88 F9 0A 01 B0 BA 8E 3E B0 07 3F 7B 6A 4B FB 0 dkg@alice:~$ gpg2 --print-md SHA1 < gpg4win-2.3.0.exe 88D9 0EE9 A1EA 3E66 B198 EA86 6063 140B 8824 44D5 0 dkg@alice:~$ So i think your download is most likely ok (assuming that fciv is doing what i believe it is). fwiw, MD5 and SHA1 are both old digest algorithms, and are not as strong as they should be. I recommend that anyone using checksums for file integrity switch to SHA256 as soon as possible. Also, the OpenPGP signature published at https://files.gpg4win.org/gpg4win-2.3.0.exe.sig itself uses SHA1 internally. This is also a bad idea. signatures published today should use at least SHA256, as every modern OpenPGP implementation has been capable of verifying SHA256 signatures for years now. hth, --dkg _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
