[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855211#comment-15855211
]
Maxim Solodovnik commented on WICKET-6074:
------------------------------------------
OK, here is the process I'm using to check signatures
cat apache-wicket-8.0.0-M4.tar.gz.sha
sha1sum apache-wicket-8.0.0-M4.tar.gz
compare output by eye
{code}
target/dist/apache-wicket-8.0.0-M4.tar.gz:
A903 2884 75D4 0D93 1669 BB3D AB91 8744 1954 AB52
a903288475d40d931669bb3dab9187441954ab52 apache-wicket-8.0.0-M4.tar.gz
{code}
Normally machine generated sequences should be machine validatable
After proposed changes the process will be:
{code}
sha256sum -c apache-wicket-8.0.0-M4.tar.gz.sha256
apache-wicket-8.0.0-M4.tar.gz: OK
{code}
(SHA256 was generated as an example)
same with md5
Maybe I'm using wrong tools to check the sum?
> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
> Affects Versions: 6.21.0, 7.2.0
> Reporter: Martin Grigorov
> Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
> The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
