Hi! In the light of the recently found weaknesses in the MD5 hash function we won't anymore accompany software announcements with MD5 checksums. Instead SHA-1 checksums will be given. All modern GNU/Linux systems are featuring a sha1sum tool, similar to the md5sum too, so this there should be no problem checking the checksums on these platforms. For MS Windows no such tool is available. To solve this problem, I wrote a simple sha1sum tool and uploaded it along with a MS Windows binary (sha1sum.exe) to the GnuPG ftp servers. The source is also available and maybe used to check the correctness or to build own binaries. It should build on all platforms. There is of course a catch-22 in that you won't be able to check the integrity of that tool without using it. So you need to rely on other ways of checking this tool; one possibility is to send it to a friend and ask the friend to check the gpg signature for you. Get it from ftp.gnupg.org at: ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe (20k) ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe.sig ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.c (9k) ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.c.sig Usage is: sha1sum <files> This version of sha1sum does not feature the -c (--check) option so that you have to compare the printed checksums using our own eyes. Please note that if you already have a working GnuPG installation it is better to check the integrity of a package using the GnuPG generated signature which is usually in files sufficed with ".sig", ".sign", or ".asc". Using the checksum is only way to bootstrap an installation. The sha1sum utility might also be useful to verify software which does does come with a gpg signature. Happy hacking, Werner -- Werner Koch <wk@gnupg.org> The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20041209/9fcf47cf/attachment.pgp