Hello list, I downloaded the installer of the last windows version of gnupg along with its signature (i.e. gnupg-w32-2.1.20_20170403.exe. and gnupg-w32-2.1.20_20170403.exe.sig respectively) from the ftp server, then I proceeded to verify the SHA-1 of the executable and it matched (just because I'm feeling paranoid, is 69308ee80699ebb48a055963418597767a76d1d8 right?).
Out of curiosity I then wanted to check if the .sig hash matched using all the hashing tools I have (since at this time I don't have gnupg installed, this is just a mean to say that the hashing tools I'm using are legitimate if they all report the same value; the hash of the signature is not provided). Now to the problem: a site called onlinemd5(dot)com (regular HTTP, no HTTPS) reported values (SHA-1: 161B31EA6F627D3F17E896486AF886283450C946 and SHA-256: 369648131DE31A8CA44BEDA00D6A8ECB61C405F8FD8F03649BF80720F02525A7) different from the ones of every other hashing tool (SHA-1: 3E15A03A29798718DCFAC54CADED34414284D6D9 and SHA-256: 3C5CEB2291C2314EDB55D905B94275FC871162D3BB7977BDDBCB6A97EFDBAC03). I verified some other files using 11 different tools and they all matched, but just in this case one of them failed. This is the first time I encounter such a situation. How can this happen? <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Mail priva di virus. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
