On Fri 2016-03-18 03:21:30 -0400, Werner Koch wrote:
> Most people are actually not able to check even the SHA-1 checksums
> because they are missing a tool to do so (e.g. Windows) and have not the
> knowledge to install or compile and audit a shaXsum tool.
On any modern Windows installation (sinc
On 03/17/2016 01:00 PM, Kristian Fiskerstrand wrote:
so if the server was to be compromised in some way ...
... the checksum (that you are downloading from the same server) becomes
useless.
Doug
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
>
> What is your threat model? FWIW, pre-image attacks on SHA-1 are not
> even on the horizon.
>
Pre-image attack?
- Fabian s
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
On 17/03/16 19:01, Daniel Villarreal wrote:
> Clarifications and updates on APT + SHA1
> https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/
> "...note that SHA1 support is not dropped, we merely do not consider
> it trustworthy."
This page then continues:
> This mea
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/17/2016 08:44 PM, Daniel Kahn Gillmor wrote:
> FWIW, the threat model of digest algorithms being published on an
> HTTPS website that then links to the file to be downloaded is much
> easier to work around than by compromising SHA-1's preima
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Friday 18 March 2016 at 2:45:28 PM, in
, Daniel Kahn Gillmor
wrote:
> On any modern Windows installation (since Vista at
> least, i think) there
> is "certutil.exe"
> https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile
>
On Thu, 17 Mar 2016 19:01, youcanli...@gmail.com said:
> Any idea when you'll replace the SHA-1 checksums at the following page?
What is your threat model? FWIW, pre-image attacks on SHA-1 are not
even on the horizon.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein B
On Thu 2016-03-17 15:34:08 -0400, Fabian Santiago wrote:
>>
>> What is your threat model? FWIW, pre-image attacks on SHA-1 are not
>> even on the horizon.
>>
>
> Pre-image attack?
https://en.wikipedia.org/wiki/Preimage_attack
FWIW, the threat model of digest algorithms being published on an HT
On Fri, 18 Mar 2016 08:21, w...@gnupg.org said:
> I'll look at how we can improve the description on the web page.
Actually the current text does not look too bad:
If you are not able to use an old version of GnuPG, you can still
verify the file's SHA-1 checksum. This is less secure, beca
On Fri, 18 Mar 2016 15:45, d...@fifthhorseman.net said:
> On any modern Windows installation (since Vista at least, i think) there
> is "certutil.exe"
I know but I have also seen on the gpg4win mailing list that people have
problems using it or any other tool.
Also worse than checksums or real s
On Thu, 17 Mar 2016 20:44, d...@fifthhorseman.net said:
> FWIW, the threat model of digest algorithms being published on an HTTPS
> website that then links to the file to be downloaded is much easier to
> work around than by compromising SHA-1's preimage resistance (or even
I fully agree and I vi
Windows has certutil built-in.
On Fri, Mar 18, 2016, 3:27 AM Werner Koch wrote:
> On Thu, 17 Mar 2016 20:44, d...@fifthhorseman.net said:
>
> > FWIW, the threat model of digest algorithms being published on an HTTPS
> > website that then links to the file to be downloaded is much easier to
> > w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Any idea when you'll replace the SHA-1 checksums at the following page?
https://gnupg.org/download/integrity_check.html
List of SHA-1 check-sums
For your convenience, all SHA-1 check-sums available for software that
can be downloaded from our site,
13 matches
Mail list logo
