Repository: mesos
Updated Branches:
  refs/heads/master d863d61b2 -> 843e5e859

Used SHA512 for release file checksums.

Apache now requires SHA checksum files instead of the previously
required MD5, see the [signing recommendations](1). This patch updates
the Mesos vote and release tooling to accommodate that change in
policy. We use SHA512 as recommended in the [Apache SHA checksum

We also fix the format of the produced digest file to be compatible
with `sha512sum` to ease automatic release verification.




Branch: refs/heads/master
Commit: 843e5e85939d848b0898753c9d7542ecc997135c
Parents: d863d61
Author: Benjamin Bannier <>
Authored: Mon Mar 12 09:55:05 2018 +0100
Committer: Benjamin Bannier <>
Committed: Mon Mar 12 09:55:05 2018 +0100

 support/ |  2 +-
 support/    | 19 ++++++++++++-------
 2 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/support/ b/support/
index 3aeda92..ced765b 100755
--- a/support/
+++ b/support/
@@ -43,7 +43,7 @@ echo "${GREEN}Checking out svn release repo ...${NORMAL}"
 svn co --depth=empty ${SVN_RELEASE_REPO} ${SVN_RELEASE_LOCAL}
 echo "${GREEN}Uploading the artifacts (the distribution," \
-  "signature, and MD5) to the release repo ${NORMAL}"
+  "signature, and checksum) to the release repo ${NORMAL}"
diff --git a/support/ b/support/
index 649eebc..9a72525 100755
--- a/support/
+++ b/support/
@@ -33,6 +33,11 @@ if [ "$(git cat-file -t $TAG)" != "tag" ]; then
   exit 1;
+# Releases are signed with `sha512sum` which is installed as
+# `gsha512sum` from Homebrew's `coreutils` package.
+echo "Checking for sha512sum or gsha512sum"
+SHA512SUM=$(command -v sha512sum || command -v gsha512sum)
 echo "${GREEN}Tagging and Voting for mesos-${VERSION} candidate 
 read -p "Hit enter to continue ... "
@@ -95,10 +100,10 @@ echo "${GREEN}Signing the distribution ...${NORMAL}"
 # Sign the tarball.
 gpg --armor --output ${TARBALL}.asc --detach-sig ${TARBALL}
-echo "${GREEN}Creating a MD5 checksum...${NORMAL}"
+echo "${GREEN}Creating a SHA512 checksum ...${NORMAL}"
-# Create MD5 checksum.
-gpg --print-md MD5 ${TARBALL} > ${TARBALL}.md5
+# Create SHA512 checksum.
+"${SHA512SUM}" ${TARBALL} > ${TARBALL}.sha512
@@ -110,11 +115,11 @@ echo "${GREEN}Checking out svn dev repo ...${NORMAL}"
 svn co --depth=empty ${SVN_DEV_REPO} ${SVN_DEV_LOCAL}
 echo "${GREEN}Uploading the artifacts (the distribution," \
-  "signature, and MD5) ...${NORMAL}"
+  "signature, and checksum) ...${NORMAL}"
 popd # build
 popd # mesos
@@ -155,8 +160,8 @@ ${SVN_DEV_REPO}/${TAG}/${TARBALL}
 The tag to be voted on is ${TAG}:;a=commit;h=${TAG}
-The MD5 checksum of the tarball can be found at:
+The SHA512 checksum of the tarball can be found at:
 The signature of the tarball can be found at:

Reply via email to