Used SHA512 for release file checksums. Apache now requires SHA checksum files instead of the previously required MD5, see the [signing recommendations](1). This patch updates the Mesos vote and release tooling to accommodate that change in policy. We use SHA512 as recommended in the [Apache SHA checksum FAQ](2).
We also fix the format of the produced digest file to be compatible with `sha512sum` to ease automatic release verification. [1]: http://www.apache.org/dev/release-distribution#sigs-and-sums [2]: http://www.apache.org/dev/release-signing#sha-checksum Review: https://reviews.apache.org/r/65905/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/5e8572e4 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/5e8572e4 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/5e8572e4 Branch: refs/heads/1.3.x Commit: 5e8572e4b9e585a96f566368342775b53e6deecf Parents: 487c41f Author: Benjamin Bannier <benjamin.bann...@mesosphere.io> Authored: Mon Mar 12 09:55:05 2018 +0100 Committer: Benjamin Bannier <bbann...@apache.org> Committed: Mon Mar 12 10:41:32 2018 +0100 ---------------------------------------------------------------------- support/release.sh | 2 +- support/vote.sh | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/5e8572e4/support/release.sh ---------------------------------------------------------------------- diff --git a/support/release.sh b/support/release.sh index 725bee6..df62432 100755 --- a/support/release.sh +++ b/support/release.sh @@ -43,7 +43,7 @@ echo "${GREEN}Checking out svn release repo ...${NORMAL}" svn co --depth=empty ${SVN_RELEASE_REPO} ${SVN_RELEASE_LOCAL} echo "${GREEN}Uploading the artifacts (the distribution," \ - "signature, and MD5) to the release repo ${NORMAL}" + "signature, and checksum) to the release repo ${NORMAL}" mv ${TAG} ${SVN_RELEASE_LOCAL}/${VERSION} http://git-wip-us.apache.org/repos/asf/mesos/blob/5e8572e4/support/vote.sh ---------------------------------------------------------------------- diff --git a/support/vote.sh b/support/vote.sh index 98643a1..eed4b37 100755 --- a/support/vote.sh +++ b/support/vote.sh @@ -19,6 +19,11 @@ VERSION=${1} CANDIDATE=${2} TAG="${VERSION}-rc${CANDIDATE}" +# Releases are signed with `sha512sum` which is installed as +# `gsha512sum` from Homebrew's `coreutils` package. +echo "Checking for sha512sum or gsha512sum" +SHA512SUM=$(command -v sha512sum || command -v gsha512sum) + echo "${GREEN}Voting for mesos-${VERSION} candidate ${CANDIDATE}${NORMAL}" read -p "Hit enter to continue ... " @@ -75,10 +80,10 @@ echo "${GREEN}Signing the distribution ...${NORMAL}" # Sign the tarball. gpg --armor --output ${TARBALL}.asc --detach-sig ${TARBALL} -echo "${GREEN}Creating a MD5 checksum...${NORMAL}" +echo "${GREEN}Creating a SHA512 checksum ...${NORMAL}" -# Create MD5 checksum. -gpg --print-md MD5 ${TARBALL} > ${TARBALL}.md5 +# Create SHA512 checksum. +"${SHA512SUM}" ${TARBALL} > ${TARBALL}.sha512 SVN_DEV_REPO="https://dist.apache.org/repos/dist/dev/mesos" SVN_DEV_LOCAL="${WORK_DIR}/dev" @@ -90,11 +95,11 @@ echo "${GREEN}Checking out svn dev repo ...${NORMAL}" svn co --depth=empty ${SVN_DEV_REPO} ${SVN_DEV_LOCAL} echo "${GREEN}Uploading the artifacts (the distribution," \ - "signature, and MD5) ...${NORMAL}" + "signature, and checksum) ...${NORMAL}" RELEASE_DIRECTORY="${SVN_DEV_LOCAL}/${TAG}" mkdir ${RELEASE_DIRECTORY} -mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.md5 ${RELEASE_DIRECTORY} +mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.sha512 ${RELEASE_DIRECTORY} popd # build popd # mesos @@ -135,8 +140,8 @@ ${SVN_DEV_REPO}/${TAG}/${TARBALL} The tag to be voted on is ${TAG}: https://git-wip-us.apache.org/repos/asf?p=mesos.git;a=commit;h=${TAG} -The MD5 checksum of the tarball can be found at: -${SVN_DEV_REPO}/${TAG}/${TARBALL}.md5 +The SHA512 checksum of the tarball can be found at: +${SVN_DEV_REPO}/${TAG}/${TARBALL}.sha512 The signature of the tarball can be found at: ${SVN_DEV_REPO}/${TAG}/${TARBALL}.asc