Repository: aurora-packaging Updated Branches: refs/heads/master ec923e6c6 -> de2ad96bd
Switch packaging release checksum to sha512 For our releases we will now be using .sha512 files rather than .sha files containing sha1 checksums. This change is triggered by a recent update of the Apache Release Distribution Policy. Please see this mail for details: ``` Hi PMC, The Release Distribution Policy[1] changed regarding .sha files. See under "Cryptographic Signatures and Checksums Requirements" [2]. Old policy : -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) New policy : -- use .sha1 for a SHA-1 checksum -- use .sha256 for a SHA-256 checksum -- use .sha512 for a SHA-512 checksum -- [*] .sha should contain a SHA-1 Why this change ? -- Verifying a checksum under the old policy is/was not handy. You have to inspect the .sha to find out which algorithm should be used ; or try them all (SHA-1, SHA256, etc). The new scheme avoids this ambiguity. -- The last point[*] was only added for clarity. Most of the old, stale .sha's contain a SHA-1. The relatively new .sha's contain a SHA-512. The expectation is that the last catagory will disappear, when active projects adapt to the 'new' convention. Impact : -- Should be none ; many projects already use the 'new' convention. -- Please ask your release managers to use .sha1, .sha256, .sha512 instead of the .sha extension. -- Please fix your build-tools if you have any. Piggyback : -- The policy requires a .md5 for every package ; providing a .sha512 is recommended. Since MD5 is essentially broken, it is to be expected that in the future a .sha512 will be required. Perhaps it is wize to start providing .sha512's with your releases if you do not already do so. -- Visit http://mirror-vm.apache.org/checker/ to check the health of your /dist/-area ; my stuff ; any feedback is most welcome. Thanks ; regards, Henk Penning [1] http://www.apache.org/dev/release-distribution [2] http://www.apache.org/dev/release-distribution#sigs-and-sums ``` Reviewed at https://reviews.apache.org/r/62831/ Project: http://git-wip-us.apache.org/repos/asf/aurora-packaging/repo Commit: http://git-wip-us.apache.org/repos/asf/aurora-packaging/commit/de2ad96b Tree: http://git-wip-us.apache.org/repos/asf/aurora-packaging/tree/de2ad96b Diff: http://git-wip-us.apache.org/repos/asf/aurora-packaging/diff/de2ad96b Branch: refs/heads/master Commit: de2ad96bde657962ef7512c260eac9e96d0edf00 Parents: ec923e6 Author: Stephan Erb <s...@apache.org> Authored: Sun Oct 8 18:59:24 2017 +0200 Committer: Stephan Erb <s...@apache.org> Committed: Sun Oct 8 18:59:24 2017 +0200 ---------------------------------------------------------------------- build-support/release/release-candidate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/aurora-packaging/blob/de2ad96b/build-support/release/release-candidate ---------------------------------------------------------------------- diff --git a/build-support/release/release-candidate b/build-support/release/release-candidate index c5aad69..adc378c 100755 --- a/build-support/release/release-candidate +++ b/build-support/release/release-candidate @@ -47,7 +47,7 @@ function sign_artifacts() { # Create the checksums gpg --print-md MD5 "${name}" > "${stage_dir}/${name}.md5" - shasum "${name}" > "${stage_dir}/${name}.sha" + shasum -a 512 "${name}" > "${stage_dir}/${name}.sha512" done popd }