You are here

Home » Forums » General Forums » General Discussion

SHA1 installer hash instead of MD5?

3 posts / 0 new
Log in or register to post comments
Last post
April 15, 2015 - 8:13am
#1
alexanderino
Offline
Last seen: 5 months 2 days ago
Joined: 2013-12-31 12:48
SHA1 installer hash instead of MD5?

Greetings. Is it possible to provide SHA1 hashes in the 'Download Details' section for each installer? Alternatively, both SHA1 and MD5 hashes can be provided. The reasons are:

  • MD5 is more broken than SHA1. While both should be avoided, SHA1 gives somewhat more assurance that the file has not been corrupted or tampered. Providing both hashes, of course, virtually eliminates this risk
  • The SourceForge file listing provides both SHA1 and MD5 values when clicking the 'i' in the circle at the right of each file link. This is an easy way to obtain the hashes (assuming the existing process is more cumbersome)

This is no deal-breaker, and I am grateful for the existing MD5 hash listings. However, if SHA1 can be painlessly included, I would truly appreciate it. Thanks.

Top
April 15, 2015 - 9:27am
John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 2 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Download Verification

The MD5 is primarily for verification that the file downloaded properly. Either hash can be faked with the addition of padding.

The way you can verify the EXE is from us is based on the digital signature. Our newer open source EXEs are signed with an SHA2 digital certificate using an SHA1 digest. (Fun fact, though SHA2 is supported as a digest, it's broken on Windows XP and Vista and shouldn't be used, otherwise we'd use it.) Our EXEs also have built in modification protection to prevent tampering after they are compiled.

Sometimes, the impossible can become possible, if you're awesome!

Top
April 15, 2015 - 6:45pm
(Reply to #2)
alexanderino
Offline
Last seen: 5 months 2 days ago
Joined: 2013-12-31 12:48
A third reason

Ah, thanks for the reply.

There is a third reason for wanting SHA1 sums — I didn't include it because it's a personal preference — the DownThemAll add-on for Firefox defaults to SHA1. It is not smart enough to automatically choose MD5 based on the shorter length. Changing the drop-down field to MD5 each time gets tiring really fast. By having SHA1 hashes available, it could save a considerable amount of time and effort for DownThemAll users.

Thanks once again for the explanation, it is appreciated.

Top
Log in or register to post comments