We should move from sha1sum to sha256sum as a default for integrity checks,
Examples:
* 2.4.0 announcement:
https://lists.gnupg.org/pipermail/gnupg-announce/2022q4/000477.html
```
* If you are not able to use an existing version of GnuPG, you have
to verify the SHA-1 checksum. On Unix systems the command to do
this is either "sha1sum" or "shasum". Assuming you downloaded the
file gnupg-2.4.0.tar.bz2, you run the command like this:
sha1sum gnupg-2.4.0.tar.bz2
and check that the output matches the next line:
63dde155a8df0d5e1987efa5fc17438beca83ac1 gnupg-2.4.0.tar.bz2
f8b5aaf759fa311e60d34823be342d7e15d1e752 gnupg-w32-2.4.0_20221216.tar.xz
5195ff17de15ffd8629bfd0f0b5dd2b2774295f2 gnupg-w32-2.4.0_20221216.exe
```
* libgcrypt 1.10.1 announcement:
https://lists.gnupg.org/pipermail/gnupg-announce/2022q1/000471.html
```
- If you are not able to use an existing version of GnuPG, you have
to verify the SHA-1 checksum. On Unix systems the command to do
this is either "sha1sum" or "shasum". Assuming you downloaded the
file libgcrypt-1.10.1.tar.bz2, you run the command like this:
sha1sum libgcrypt-1.10.1.tar.bz2
and check that the output matches the first line from the
this list:
de2cc32e7538efa376de7bf5d3eafa85626fb95f libgcrypt-1.10.1.tar.bz2
9db3ef0ec74bd2915fa7ca6f32ea9ba7e013e1a1 libgcrypt-1.10.1.tar.gz
```
I guess that still using sha1sum would be good if there are platforms where no sha256sum is available.
However I am not sure there are those platform in operations anymore and if they where we could add
the sha1sum in addition.