A little problem verifying an hash

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

A little problem verifying an hash

UEFg Karuna
Hello list,

I downloaded the installer of the last windows version of gnupg along with its signature (i.e. gnupg-w32-2.1.20_20170403.exe. and gnupg-w32-2.1.20_20170403.exe.sig respectively) from the ftp server, then I proceeded to verify the SHA-1 of the executable and it matched (just because I'm feeling paranoid, is 69308ee80699ebb48a055963418597767a76d1d8 right?).

Out of curiosity I then wanted to check if the .sig hash matched using all the hashing tools I have (since at this time I don't have gnupg installed, this is just a mean to say that the hashing tools I'm using are legitimate if they all report the same value; the hash of the signature is not provided). Now to the problem: a site called onlinemd5(dot)com (regular HTTP, no HTTPS) reported values (SHA-1: 161B31EA6F627D3F17E896486AF886283450C946 and SHA-256: 369648131DE31A8CA44BEDA00D6A8ECB61C405F8FD8F03649BF80720F02525A7) different from the ones of every other hashing tool (SHA-1: 3E15A03A29798718DCFAC54CADED34414284D6D9 and SHA-256: 3C5CEB2291C2314EDB55D905B94275FC871162D3BB7977BDDBCB6A97EFDBAC03).

I verified some other files using 11 different tools and they all matched, but just in this case one of them failed. This is the first time I encounter such a situation. How can this happen?

Mail priva di virus. www.avast.com

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A little problem verifying an hash

Antony Prince
On April 7, 2017 4:36:29 PM EDT, UEFg Karuna <[hidden email]> wrote:
 ...

>provided). Now to the problem: a site called onlinemd5(dot)com (regular
>HTTP, no HTTPS) reported values (SHA-1:
>161B31EA6F627D3F17E896486AF886283450C946 and SHA-256:
>369648131DE31A8CA44BEDA00D6A8ECB61C405F8FD8F03649BF80720F02525A7)
>different
>from the ones of every other hashing tool (SHA-1:
>3E15A03A29798718DCFAC54CADED34414284D6D9 and SHA-256:
>3C5CEB2291C2314EDB55D905B94275FC871162D3BB7977BDDBCB6A97EFDBAC03).
>
>I verified some other files using 11 different tools and they all
>matched,
>but just in this case one of them failed. This is the first time I
>encounter such a situation. How can this happen?
>
...

If everything matches up except for the results from that particular website, my first guesses would be an error during the upload of the file to the site or a faulty hashing algorithm used by the site. My personal preference for generating file hashes is OpenSSL since it is widely used and therefore fairly reliable in my opinion as an inconsistencies would be pointed out quickly.
--
Regards,
Antony

Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (871 bytes) Download Attachment
Loading...