Page MenuHome GnuPG

GnuPG / Gpg4win: Replace sha1sum.c with a tool in GnuPG
Open, WishlistPublic

Description

The original intend behind the sha1sum.c in gpg4win/src/sha1sum.c was to have a bootstrappable file that you could inspect and compile without dependencies to verify an initial installation of Gpg4win. Because windows had no builtin for this.

Nowadays users can just do:

certutil -hashfile GnuPG-VS-Desktop-3.1.20.7-Standard.msi sha256

So there is no need anymore for a simple tool and we should use libgcrypt.

As it is also used in Kleopatra on Windows for the create checksum command and it is nice to have these unix like tools like "sha1sum.exe" and "sha256sum.exe" etc. maybe with some added GnuPGness like proper estream support for filenames and progress-fd and the usual.

I actually found the create checksums tool useful to scan for changes in a large directory tree. E.g. You create a checksum file at some point over a large tree and then later verify the checksums to see which files have been modified.

While the sha1sum.c from Gpg4win takes the hash algo as a compile flag for me an ideal solution would be if gnupg would create some kind of gpghash.exe that switches between algos either by a command line switch or by its own filename and otherwise behaves from input / output like the standard unix sha1sum sha256sum etc. tools.

So that If I install gpghash.exe as sha1sum.exe it would detect this based on argv[0] and use the corresponding libgcrypt hash algo.

Event Timeline

The tobias/gpgsum branch in gnupg now contains my implementation of this. Together with the attached patches to kleopatra and libkleo, it can properly handle unicode filenames on windows. I'll put those patches up for review at KDE in the next days.

I would rather like to see the checksum stuff be ripped out of Kleopatra into a simple standalone app. It's complete overkill to start the Kleopatra battleship if the user just wants to calculate or verify a checksum of a downloaded file. The UI of the checksum tool in Kleopatra is anyway still not accessible (T6099: Kleopatra: Make checksum verification accessible). How about we redesign the UI from scratch with accessibility in mind from the start?

For a very long time i would have agreed with you. But i now understand the usecase. You misunderstand that feature just like i had. It is not about checksum verification or checking. It is for detecting changes in folder trees so that you know when to reencrypt and update your encrypted archive of that tree. Yes this could be done somewhere else but the usecase is valid for kleopatra.

So with my ryzen 9 on tumbleweed:

I symlinked gpgsum to sha256sum:

time sha256sum 10gb-random.dat
ee6755b9da3fe4de2e56e703f8d0c68bcc6bc91b722b0dc8677b40b9aa2293ab  10gb-random.dat
sha256sum 10gb-random.dat  4,86s user 4,23s system 99% cpu 9,115 total

Same file same disk but with the tumbleweed standard sha256sum tool:

time /usr/bin/sha256sum 10gb-random.dat
ee6755b9da3fe4de2e56e703f8d0c68bcc6bc91b722b0dc8677b40b9aa2293ab  10gb-random.dat
/usr/bin/sha256sum 10gb-random.dat  30,50s user 5,17s system 99% cpu 35,723 total

I find that pretty awesome and shows that the standard sha256sum does not make use of hardware acceleration.

So as a replacement for what we have in Kleopatra this would work.

But to make it a really great tool I think it needs more options. I had it in my PATH as "sha256sum" for a bit but had to remove it since it is missing some arguments that the standard sha256sum understands.
For me the first missing thing was "--status"

The help is also missing the string replacements and reports @GPGSUM@ with Copyright YEAR NAME. I would also love to see a "-h / --hash" option where you could tell gpgsum to use a specific hash algorithm when it is not already defined by the name. Then it needs a man page etc.

We don't really have a business case for that but with the performance increase that I saw I think it would make for a great piece of free software. But all these things should go into seperate issues. Since this issue is about a tool to replace the sha1sum.c from gpg4win. And for that we would only need a backport and then some testing. So I don't think we should do it for this release.
I will talk to werner what we will do with this next.

Fun idea would be to get a "blue angel" like okular has and use that for Marketing purposes. So all distros need to switch to the blue angel certified hashsum tool to save the planet 😂

Was anything done here apart from en-/decoding filenames to/from UTF-8 on Windows?