I downloaded the installer of the last windows version of gnupg along with its signature (i.e. gnupg-w32-2.1.20_20170403.exe. and gnupg-w32-2.1.20_20170403.exe.sig respectively) from the ftp server, then I proceeded to verify the SHA-1 of the executable and it matched (just because I'm feeling paranoid, is 69308ee80699ebb48a055963418597767a76d1d8 right?).
Out of curiosity I then wanted to check if the .sig hash matched using all the hashing tools I have (since at this time I don't have gnupg installed, this is just a mean to say that the hashing tools I'm using are legitimate if they all report the same value; the hash of the signature is not provided). Now to the problem: a site called onlinemd5(dot)com (regular HTTP, no HTTPS) reported values (SHA-1: 161B31EA6F627D3F17E896486AF886283450C946 and SHA-256: 369648131DE31A8CA44BEDA00D6A8ECB61C405F8FD8F03649BF80720F02525A7) different from the ones of every other hashing tool (SHA-1: 3E15A03A29798718DCFAC54CADED34414284D6D9 and SHA-256: 3C5CEB2291C2314EDB55D905B94275FC871162D3BB7977BDDBCB6A97EFDBAC03).
I verified some other files using 11 different tools and they all matched, but just in this case one of them failed. This is the first time I encounter such a situation. How can this happen?
On April 7, 2017 4:36:29 PM EDT, UEFg Karuna <[hidden email]> wrote:
>provided). Now to the problem: a site called onlinemd5(dot)com (regular
>HTTP, no HTTPS) reported values (SHA-1:
>161B31EA6F627D3F17E896486AF886283450C946 and SHA-256:
>from the ones of every other hashing tool (SHA-1:
>3E15A03A29798718DCFAC54CADED34414284D6D9 and SHA-256:
>I verified some other files using 11 different tools and they all
>but just in this case one of them failed. This is the first time I
>encounter such a situation. How can this happen?
If everything matches up except for the results from that particular website, my first guesses would be an error during the upload of the file to the site or a faulty hashing algorithm used by the site. My personal preference for generating file hashes is OpenSSL since it is widely used and therefore fairly reliable in my opinion as an inconsistencies would be pointed out quickly.