Hacker News new | ask | show | jobs
by gary4gar 3368 days ago
What's wrong with just doing SHA1?
2 comments
khedoros1 3368 days ago
If the binary you're downloading might have been modified, how do you know that the hash you're checking against hasn't been as well?
link
simplehuman 3368 days ago
Sha1 collisions...
link
aanm1988 3368 days ago
what's wrong with doing <insert hash function>?
link
aeijdenberg 3368 days ago
Making a hash of the release is just a small part of it (and is the first part of what they are doing).

The trick is to be confident that you're getting the same hash as everyone else - and that's what requiring a proof that it be added to a CT logs gives you some level of assurance about.

link