Thank you for the response. On 2017-02-24 23:45, William A Rowe Jr wrote: > They are useful for file completeness/error checking only. I'd agree > there is zero purpose in retaining SHA1 when SHA256 is in place.
Unfortunately a lot of people do not know this. They compare the hashes instead, either because they don't understand the background, don't have gpg installed, or think checking the hashes is the same as verifying a signature. > And SHA256 is a means to authenticate how, exactly? > > We provide .asc pgp signatures exclusively for that purpose. I agree, gpg is the only way to check the authenticity of a file. However, people who use hashes to do this (for reasons I previously mentioned) are in a lot safer spot, because it's most likely impossible for an adversary to create a collision. I just didn't understand why there would be a reason for other hashes, if there was as sha-256 hash available. Even on legacy systems I've seen implementations for sha256. Thanks again for your answer. Cheers, K. C. -- regards Helmut K. C. Tessarek lookup http://pool.sks-keyservers.net for KeyID 0xC11F128D /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
