Bruno Haible via Gnulib discussion list <[email protected]> writes: > Simon Josefsson wrote: >> +XMv72pyPrDiGrukOrQ9UwgLh+bbekQhQWuyaEmEf3Co= gnulib-20250303.bundle >> +c3X/89WHMIRVqGpOHHQPZfw2bcxnZEIkgOam7WwRUyw= gnulib-20250729.bundle >> +6kYv60oHv7kXpkJM2vUlADWNmh62nus1xA80bJJiJEs= gnulib-20260109.bundle >> @end example > > Like in build-aux/announce-gen, we should explain how to verify these > checksums.
Makes sense, thank you! Having to specify the hash algorithm is tedious for users... maybe we should use the following style instead, and merely suggest '--check': jas@frallan:~/src/release$ ~/src/coreutils-9.9/src/cksum -a sha3 --length 256 --base64 gnulib-20260109.bundle | tee foo SHA3-256 (gnulib-20260109.bundle) = 6kYv60oHv7kXpkJM2vUlADWNmh62nus1xA80bJJiJEs= jas@frallan:~/src/release$ ~/src/coreutils-9.9/src/cksum --check < foo gnulib-20260109.bundle: OK jas@frallan:~/src/release$ /Simon > Note that the --check option works only with coreutils 9.9 or newer, > with this input syntax: > > $ echo '6kYv60oHv7kXpkJM2vUlADWNmh62nus1xA80bJJiJEs= gnulib-20260109.bundle' > \ > | /9.8/bin/cksum -a sha3 --check > cksum: 'standard input': no properly formatted checksum lines found > > $ echo '6kYv60oHv7kXpkJM2vUlADWNmh62nus1xA80bJJiJEs= gnulib-20260109.bundle' > \ > | /9.9/bin/cksum -a sha3 --check > gnulib-20260109.bundle: OK > > > 2026-01-09 Bruno Haible <[email protected]> > > doc: Improvements for gnulib git bundle. > * doc/gnulib-git-bundle.texi: Explain how to verify the checksums. > > diff --git a/doc/gnulib-git-bundle.texi b/doc/gnulib-git-bundle.texi > index 171f5cfe90..60890088f0 100644 > --- a/doc/gnulib-git-bundle.texi > +++ b/doc/gnulib-git-bundle.texi > @@ -35,6 +35,13 @@ > 6kYv60oHv7kXpkJM2vUlADWNmh62nus1xA80bJJiJEs= gnulib-20260109.bundle > @end example > > +Verify the SHA256 checksum > +with either @code{sha256sum}, @code{sha256}, or @code{shasum -a 256}. > + > +Verify the base64 SHA3-256 checksum > +with @code{cksum -a sha3 -l 256 --base64} from coreutils 9.8 or newer, > +or with @code{cksum -a sha3 --check} from coreutils 9.9 or newer. > + > Next to the Git Bundle is a GnuPG signature on the file, named > @code{gnulib-YYYYMMDD.bundle.sig}, which can be verified using GnuPG > as usual: > > > > >
signature.asc
Description: PGP signature
