On 23/11/2025 02:38, Collin Funk wrote:
Hi,
I've attached a proposed patch to have 'announce-gen' produce SHA3-256
checksums instead of SHA-1.
I don't think there is much benefit in keeping SHA-1 around, since you
can generate hash collisions. I assume the time/cost per GPU is much
lower nowadays than it was in the 2017 estimates [1].
Furthermore, most people are likely using a 'cksum' version from later
than 2007 which supports SHA-256. So I don't think removing SHA-1 will
do any harm.
It would be nice to have SHA3-256 checksums ready in the unlikely case
that SHA-2 is broken in the foreseeable future.
+1 to all that.
GNU coreutils 'cksum' has supported SHA3 since 9.8, but it couldn't
derive the digest length from the base64 output. So using
'cksum -a sha3 --check' requires coreutils 9.9.
Here is the output with the proposed patch and without --cksum-checksums
in the invocation:
$ announce-gen --release-type=alpha --package-name=coreutils \
--previous-version=0.0 --current-version=9.9.35-cf973 \
--gpg-key-id=8CE6491AE30D7D75 --url=localhost
[...]
Here are the SHA256 and SHA3-256 checksums:
File: coreutils-9.9.35-cf973.tar.gz
SHA256 sum:
b5662c336a6bcf03e3d69f5cd53d27a03c51293162c525a6657e6dccf67a716f
SHA3-256 sum:
16057652e0d2bfe53751df5f75203999644641867d0802b1df06021e24e6dcbb
File: coreutils-9.9.35-cf973.tar.xz
SHA256 sum:
06486a09ac5e2884f9d56b4fef77ee8dae5e91961be030e13f387cf2ec76825a
SHA3-256 sum:
6c3fe41615ff3b5b90f5c887510ca03daf18ca8b5306b9ac5790e8fb8f72015f
[...]
Here is the output with the proposed patch and with --cksum-checksums in
the invocation:
$ announce-gen --cksum-checksums --release-type=alpha \
--package-name=coreutils --previous-version=0.0 \
--current-version=9.9.35-cf973 --gpg-key-id=8CE6491AE30D7D75 \
--url=localhost
[...]
Here are the SHA256 and SHA3-256 checksums:
tWYsM2przwPj1p9c1T0noDxRKTFixSWmZX5tzPZ6cW8= coreutils-9.9.35-cf973.tar.gz
FgV2UuDSv+U3Ud9fdSA5mWRGQYZ9CAKx3wYCHiTm3Ls=
coreutils-9.9.35-cf973.tar.gz
BkhqCaxeKIT51WtP73fuja5ekZYb4DDhPzh88ux2glo=
coreutils-9.9.35-cf973.tar.xz
bD/kFhX/O1uQ9ciHUQygPa8YyotTBrmsV5Do+49yAV8=
coreutils-9.9.35-cf973.tar.xz
Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.
Verify the base64 SHA3-256 checksum with cksum -a sha3 --check
from coreutils-9.9.
[...]
BTW it's tempting to use tagged format in the above to simplify things for
users,
and also avoid FAILED messages for mixed checksum input. I.e.:
Here are the SHA256 and SHA3-256 checksums:
SHA256 (coreutils-9.9.35-cf973.tar.gz) =
tWYsM2przwPj1p9c1T0noDxRKTFixSWmZX5tzPZ6cW8=
SHA3-256 (coreutils-9.9.35-cf973.tar.gz) =
FgV2UuDSv+U3Ud9fdSA5mWRGQYZ9CAKx3wYCHiTm3Ls=
SHA256 (coreutils-9.9.35-cf973.tar.xz) =
BkhqCaxeKIT51WtP73fuja5ekZYb4DDhPzh88ux2glo=
SHA3-256 (coreutils-9.9.35-cf973.tar.xz) =
bD/kFhX/O1uQ9ciHUQygPa8YyotTBrmsV5Do+49yAV8=
Verify the base64 SHA256 checksums with cksum --check
from coreutils-9.2 or OpenBSD's cksum since 2007.
Also verify the base64 SHA3-256 checksums with cksum --check from
coreutils-9.9.
With usual sized tarball names, the checksum lines will be < 80 chars.
cheers,
Padraig
