A fingerprint in computing uniquely identifies original data.
So a fingerprint of a public key (for cryptographic use) shall help you to find and compare public keys.
This wiki is about cryptography, thus fingerprints you encounter here are calculated by a strong hash function. By the way: Those hashes can also be used as checksums. Then they may also be called message digests.
Basically a fingerprint is a very long number.
Display of fingerprints
To show and compare long numbers as humans, it is good to separate them into blocks. In cryptography blocks of two our four characters are common. Separated by spaces or colons.
Another trick is to use the hexadecimal numerical system. Also called hex or base-16.
Note that for hex it does not matter if a character is upper or lower case.
Examples
Codesigning Certificate for Gpg4win
This is the same fingerprint of the certificate which is used to sign Gpg4win releases.
From https://www.gpg4win.org/package-integrity.html:
sha1_fpr: B2:85:2D:44:90:F6:55:EB:EA:DF:9F:FD:8D:09:2E:81:54:45:00:77
As displayed in the details of the UAC on Windows 10 as value "Fingerprint":
b2852d4490f655ebeadf9ffd8d092e8154450077
As you can see from the length and the label, it was calculated with the SHA-1 hash algorithm.
GnuPG for comparison
Here is another format for a SHA-1 fingerprint with blocks of four spaces:
LANG=en_EN gpg --fingerprint --list-key bernhard@intevation.de | grep fingerprint
Key fingerprint = BDD9 57F9 C4FE 0FDC 583D CD6D 2B7B A3BF 9BC3 A554
Comparison
When comparing two fingerprints, consider following hints:
- check they have been calculated in the same way (aka the same hash function) e. g. SHA256.
- use the same display format (blocks, upper-lower-case, numerical system), transform if you need to.
- When using your eyes: put both below each other into an editor, so differences stand out.
SHA-1?
To cite BSIGuideline version 2025-01:
SHA1 should therefore never be used as a secure cryptographic hash function. This does not rule out its use in other cryptographic applications, for example as part of an HMAC construction, but this should also be avoided.
As you see using SHA-256 is much better. However for many legacy uses SHA-1 fingerprints will still give a fair security for a while. And if this is what you have, SHA-1 is much better than nothing.