Hi,
Thanks for the review. I think this v2 patch addresses everyone's
comments.
The output when --cksum-checksums is not used now mentions the programs
that can be used to check them:
$ announce-gen --release-type=alpha --package-name=coreutils \
--previous-version=0.0 --current-version=9.9.42-b1ccb \
--gpg-key-id=8CE6491AE30D7D75 --url=localhost
[...]
Here are the SHA256 and SHA3-256 checksums:
File: coreutils-9.9.42-b1ccb.tar.gz
SHA256 sum:
e25ec3ccd2358e101ad76dd97c1cf27a6bb80b987c4692564ee7524fd8429785
SHA3-256 sum:
5b2ac1a5dc943e28ece021cb6c0874cd0a9790b13c3845718d52282a12205731
File: coreutils-9.9.42-b1ccb.tar.xz
SHA256 sum:
940bd729ae72a281f8dbb1ea56795bb4dc4340a568da1d28e828ae8152694e00
SHA3-256 sum:
f49b691ea806995b99909efa4b9b9648828ae6f62b549c30adcbc489bd78ade2
Verify the SHA256 checksum with the sha256sum program.
Verify the SHA3-256 checksum with cksum -a sha3 --check
from coreutils-9.8.
[...]
The output when --cksum-checksums is used uses the tagged format so that
it can be easily checked:
$ announce-gen --cksum-checksums --release-type=alpha \
--package-name=coreutils --previous-version=0.0 \
--current-version=9.9.42-b1ccb --gpg-key-id=8CE6491AE30D7D75 \
--url=localhost | tee output
[...]
Here are the SHA256 and SHA3-256 checksums:
SHA256 (coreutils-9.9.42-b1ccb.tar.gz) =
4l7DzNI1jhAa123ZfBzyemu4C5h8RpJWTudST9hCl4U=
SHA3-256 (coreutils-9.9.42-b1ccb.tar.gz) =
WyrBpdyUPijs4CHLbAh0zQqXkLE8OEVxjVIoKhIgVzE=
SHA256 (coreutils-9.9.42-b1ccb.tar.xz) =
lAvXKa5yooH427HqVnlbtNxDQKVo2h0o6CiugVJpTgA=
SHA3-256 (coreutils-9.9.42-b1ccb.tar.xz) =
9JtpHqgGmVuZkJ76S5uWSIKK5vYrVJwwrcvEib14reI=
Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.
Verify the base64 SHA3-256 checksum with cksum -a sha3 --check
from coreutils-9.8.
[...]
Here we can see the behavior of 'cksum' from a coreutils version with
SHA3 support:
$ cksum --version | head -n 1
cksum (GNU coreutils) 9.9
$ cksum --check output
coreutils-9.9.42-b1ccb.tar.gz: OK
coreutils-9.9.42-b1ccb.tar.gz: OK
coreutils-9.9.42-b1ccb.tar.xz: OK
coreutils-9.9.42-b1ccb.tar.xz: OK
cksum: WARNING: 47 lines are improperly formatted
And the behavior of 'cksum' from a coreutils version without SHA3
support:
$ /bin/cksum --version | head -n 1
cksum (GNU coreutils) 9.7
$ /bin/cksum --check output
coreutils-9.9.42-b1ccb.tar.gz: OK
coreutils-9.9.42-b1ccb.tar.xz: OK
cksum: WARNING: 49 lines are improperly formatted
I'll hold off on pushing to allow further review.
Collin
>From 773562c5258deaa87b8be323e0593e37191a344b Mon Sep 17 00:00:00 2001
Message-ID: <773562c5258deaa87b8be323e0593e37191a344b.1763944315.git.collin.fu...@gmail.com>
From: Collin Funk <[email protected]>
Date: Sat, 22 Nov 2025 17:51:45 -0800
Subject: [PATCH v2] announce-gen: replace SHA1 checksums with SHA3-256.
* build-aux/announce-gen (usage): Mention that SHA256 and SHA3-256
checksums are used.
(digest_file_base64_wrap): Add padding lengths for SHA3. Emit the tagged
format expected by cksum.
(print_checksums): Use SHA3-256 instead of SHA1. Update instructions for
checking SHA3-256 checksums. Add instructions for when --cksum-checksums
is not used.
---
ChangeLog | 11 +++++++++++
build-aux/announce-gen | 33 ++++++++++++++++++++-------------
2 files changed, 31 insertions(+), 13 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index b332538721..fcaa17f436 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2025-11-23 Collin Funk <[email protected]>
+
+ announce-gen: replace SHA1 checksums with SHA3-256.
+ * build-aux/announce-gen (usage): Mention that SHA256 and SHA3-256
+ checksums are used.
+ (digest_file_base64_wrap): Add padding lengths for SHA3. Emit the tagged
+ format expected by cksum.
+ (print_checksums): Use SHA3-256 instead of SHA1. Update instructions for
+ checking SHA3-256 checksums. Add instructions for when --cksum-checksums
+ is not used.
+
2025-11-23 Bruno Haible <[email protected]>
crypto/gc: Improve the API of git_hash_clone.
diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index 8d02f4f5c8..3c50040ed4 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -35,7 +35,7 @@
eval 'exec perl -wSx "$0" "$@"'
if 0;
-my $VERSION = '2025-11-14 18:29'; # UTC
+my $VERSION = '2025-11-24 00:19'; # UTC
# The definition above must lie within the first 8 lines in order
# for the Emacs time-stamp write hook (at end) to update it.
# If you change this file with Emacs, please let the write hook
@@ -95,9 +95,9 @@ The following are optional:
sign the tarballs
--gpg-keyring-url=URL URL pointing to keyring containing the key used
to sign the tarballs
- --no-print-checksums do not emit SHA1 or SHA256 checksums
- --cksum-checksums emit SHA256 checksums in a form that requires
- cksum from coreutils or OpenBSD
+ --no-print-checksums do not emit SHA256 or SHA3-256 checksums
+ --cksum-checksums emit SHA256 and SHA3-256 checksums in a form
+ that requires cksum from coreutils or OpenBSD
--archive-suffix=SUF add SUF to the list of archive suffixes
--mail-headers=HEADERS a space-separated list of mail headers, e.g.,
To: x\@example.com Cc: y-announce\@example.com,...
@@ -166,7 +166,7 @@ sub print_locations ($\@\%@)
=item C<print_checksums (@file)>
-Print the SHA1 and SHA256 signature section for each C<@file>.
+Print the SHA256 and SHA3-256 signature section for each C<@file>.
=cut
@@ -180,15 +180,17 @@ sub digest_file_base64_wrap ($$)
my ($file, $alg) = @_;
my $h = digest_file_base64($file, $alg);
$alg =~ tr{-}{}d;
- my %pad = (MD5 => 2, SHA1 => 1, SHA256 => 1, SHA384 => 0, SHA512 => 2);
- return $h . '=' x $pad{$alg};
+ my %pad = (MD5 => 2, SHA1 => 1, SHA256 => 1, SHA384 => 0, SHA512 => 2,
+ SHA3256 => 1, SHA3384 => 0, SHA3512 => 2);
+ (my $alg_tag = $alg) =~ s/^SHA3(\d{3})/SHA3-$1/;
+ return $alg_tag . " (" . $file . ") = " . $h . '=' x $pad{$alg};
}
sub print_checksums ($@)
{
my ($prefer_cksum, @file) = @_;
- print "Here are the SHA1 and SHA256 checksums:\n";
+ print "Here are the SHA256 and SHA3-256 checksums:\n";
print "\n";
use Digest::file qw(digest_file_hex digest_file_base64);
@@ -197,21 +199,26 @@ sub print_checksums ($@)
{
foreach my $f (@file)
{
- print ' ', digest_file_hex ($f, "SHA-1"), " $f\n";
- print ' ', digest_file_base64_wrap ($f, "SHA-256"), " $f\n";
+ print ' ', digest_file_base64_wrap ($f, "SHA-256"), "\n";
+ print ' ', digest_file_base64_wrap ($f, "SHA3-256"), "\n";
}
print "\nVerify the base64 SHA256 checksum with cksum -a sha256 --check\n";
- print "from coreutils-9.2 or OpenBSD's cksum since 2007.\n\n";
+ print "from coreutils-9.2 or OpenBSD's cksum since 2007.\n";
+ print "\nVerify the base64 SHA3-256 checksum with cksum -a sha3 --check\n";
+ print "from coreutils-9.8.\n\n";
}
else
{
foreach my $f (@file)
{
print " File: $f\n";
- print ' SHA1 sum: ', digest_file_hex ($f, "SHA-1"), "\n";
- print ' SHA256 sum: ', digest_file_hex ($f, "SHA-256"), "\n";
+ print ' SHA256 sum: ', digest_file_hex ($f, "SHA-256"), "\n";
+ print ' SHA3-256 sum: ', digest_file_hex ($f, "SHA3-256"), "\n";
print "\n";
}
+ print "Verify the SHA256 checksum with the sha256sum program.\n";
+ print "\nVerify the SHA3-256 checksum with cksum -a sha3 --check\n";
+ print "from coreutils-9.8.\n\n";
}
}
--
2.52.0
