[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1011261: The digest algorithm in SHA512SUMS.sign is SHA256



Package: debian-cd

Hello,

I downloaded debian iso and its SHA512SUMS file. However, when I use gpg to verify authenticity of SHA512SUMS, I found the signature file use SHA256 as its digest algorithm. Although SHA256 is pretty safe, it's seem strange that sign a SHA512SUMS with SHA256. I think it's better to sign SHA512SUMS with SHA512.

Best Regards,
Zhang Boyang


$ LANG=C gpg -v --verify SHA512SUMS.sign
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Sun Mar 27 05:22:41 2022 CST
gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: using pgp trust model
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096


Reply to: