[Anthony Towns] > gnupg comes close to being this, except for two things: it's got too > many dependencies, and it's command line arguments are overly > complex. A "gpgh" variant (like gpgv but for hashing) might work, > though. It doesn't support --check, and "gpg --print-md md5 > /etc/motd" has a different format to "md5sum /etc/motd" though. I think it's important to support md5sum/sha1sum format, in cases where md5 or sha1 are used, so people can conveniently use --check with their existing binaries. That might be just me, though. > Of course, if we're doing it "right", we probably want to have some > way of telling what hash was used, so we don't have to wonder whether > a given 160bit hash is sha1 or ripemd160 or something else that gets > cooked up in future. For large files, getting a cryptographic checksum is more about reading blocks off the disk than about CPU time. So it wouldn't be completely ridiculous to allow sha-1 to remain ambiguous with competing 160-bit hashes, and have --check check for all of them (reading the file only once). I still think two-byte prefixes for non-md5-non-sha1 hashes makes some sense, like s- for sha-256. Avoids the filename encoding issue you mentioned later (unless we want to encode newlines). > OTOH, it would be far more convenient for *us* if it supported the > .changes style we use, ie: > > MD5Sum: > hash size filename This might be generally reasonable, but we do want our dsum tool to work with arbitrary MD5SUMS style files. And if such files require a hash-type header, dsum will have to produce one, at least optionally. I really like the default behavior of our existing md5sum outputting just a single line per file, and nothing more. > $ dsum -a sha1 foo; sha1sum foo > f572d396fae9206628714fb2ce00f72e94f2258f foo > f572d396fae9206628714fb2ce00f72e94f2258f foo > > $ dsum -d foo > SHA1Sum: > f572d396fae9206628714fb2ce00f72e94f2258f 6 foo > > $ dsum -b foo > SHA1 (foo) = f572d396fae9206628714fb2ce00f72e94f2258f What's the " 6 " above? Surely not a hollerith-like string. Other than that, I like your proposed command line quite a lot. > (Note that "dsum" would probably need to become Priority:required, > and possibly Essential:yes, with the complications that entails) Hmmm, promoting libgcrypt11 + libgpg-error0 to Required adds 516 kB on i386, plus a trivial amount for dsum itself. I wonder if it'd be better to just copy / paste the algorithm code into dsum.
Description: Digital signature