Page MenuHome GnuPG

Remove or explain sha1sum in announcement mails
Open, WishlistPublic

Description

We should move from sha1sum to sha256sum as a default for integrity checks,
or remove the sha1sum at least.

Examples:

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.4.0.tar.bz2, you run the command like this:

     sha1sum gnupg-2.4.0.tar.bz2

   and check that the output matches the next line:

63dde155a8df0d5e1987efa5fc17438beca83ac1  gnupg-2.4.0.tar.bz2
f8b5aaf759fa311e60d34823be342d7e15d1e752  gnupg-w32-2.4.0_20221216.tar.xz
5195ff17de15ffd8629bfd0f0b5dd2b2774295f2  gnupg-w32-2.4.0_20221216.exe
  • libgcrypt 1.10.1 announcement:

https://lists.gnupg.org/pipermail/gnupg-announce/2022q1/000471.html

 - If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file libgcrypt-1.10.1.tar.bz2, you run the command like this:

     sha1sum libgcrypt-1.10.1.tar.bz2

   and check that the output matches the first line from the
   this list:

de2cc32e7538efa376de7bf5d3eafa85626fb95f  libgcrypt-1.10.1.tar.bz2
9db3ef0ec74bd2915fa7ca6f32ea9ba7e013e1a1  libgcrypt-1.10.1.tar.gz

I guess that still using sha1sum would be good if there are platforms where no sha256sum is available.
However I am not sure there are those platform in operations anymore and if they where we could add
the sha1sum in addition.

Event Timeline

werner claimed this task.
werner added a subscriber: werner.

Nope - too long for checking and introduces line wraps. Those who are not able to check digital signatures are also not able to properly handle checksum verification. On some platforms you don't even have a sha256sum tool. And they need to verify the mails first anyway. Note that for internal purposes we use sha256sum for years.

Shouldn't we remove the sha1sum then as well? Or add an explanation?

Otherwise I'd say that we at least need an explanation in the announcements, it really feed on the myth
that GnuPG is (too) old-style or does not pay attention to the details.

Which platforms do not have a sha256sum and are still in a maintained mode or in wide usage?
(Windows used to be a candidate, but they do have a tools since long.)

bernhard renamed this task from Move to sha256sums in the announcments (for GnuPG) to Remove or explain sha1sum in announcement mails.Fri, Jan 6, 1:57 PM
bernhard reopened this task as Open.
bernhard updated the task description. (Show Details)

Thought about this for a while and rephrased and thus repopened.
I think it would be good to remove or explain the sha1sum checksums in the announcements.
Whether they are replaced by something else, e.g. sha256sum is of lesser importance.

Some thoughts:

comparison of SHA256 sum

too long for checking and introduces line wraps.

If you mean checking manually, what works nicely for me is to put the two checksums I want to compare in an editor which shows them each on a line. My eye quickly sees if there is a deviation in the pattern.

Line wraps in emails are not mandatory, it is allowed to have longer lines.

werner triaged this task as Wishlist priority.Thu, Jan 12, 8:58 AM
werner edited projects, added Feature Request; removed Bug Report.