[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855650#comment-15855650
]
Martijn Dashorst edited comment on WICKET-6074 at 2/7/17 9:43 AM:
------------------------------------------------------------------
First of all, you should verify the release by the GPG signed signature:
{code}
gpg --verify apache-wicket-*.tar.gz.asc
{code}
Now for the md5 and sha1 sums, I agree that the gpg format is strange due to
the extra new line between the path and checksum. We should at least change the
release script to pushd and popd to the dist folder before generating the
signatures, this will eliminate the target/dist/ from the path and the
extraneous new line.
Then it is just a
{code}
gpg --print-md MD5 apache-wicket-8.0.0-M4.tar.gz | diff
apache-wicket-8.0.0-M4.tar.gz.md5 -
{code}
away to verify the release. We can *also* change the extension of the gpg
message digest to .gpgmd5 and add md5sum signatures for BSD like verification.
I propose the following change to the release script:
{code}
pushd target/dist
for f in apache*.{gz,zip}
do
gpg --armor --detach-sign --use-agent --sign $f
gpg --print-md SHA1 $f > $f.gpgsha1
gpg --print-md MD5 $f > $f.gpgmd5
md5sum $f > $f.md5
sha1sum $f > $f.sha1
sha256sum $f > $f.sha256
done
popd
{code}
and do the same for the convenience binaries.
was (Author: dashorst):
First of all, you should verify the release by the GPG signed signature:
{code}
gpg --verify apache-wicket-*.tar.gz.asc
{code}
Now for the md5 and sha1 sums, I agree that the gpg format is strange due to
the extra new line between the path and checksum. We should at least change the
release script to pushd and popd to the dist folder before generating the
signatures, this will eliminate the target/dist/ from the path and the
extraneous new line.
Then it is just a
{{code}}
gpg --print-md MD5 apache-wicket-8.0.0-M4.tar.gz | diff
apache-wicket-8.0.0-M4.tar.gz.md5 -
{{code}}
away to verify the release. We can *also* change the extension of the gpg
message digest to .gpgmd5 and add md5sum signatures for BSD like verification.
I propose the following change to the release script:
{{code}}
pushd target/dist
for f in apache*.{gz,zip}
do
gpg --armor --detach-sign --use-agent --sign $f
gpg --print-md SHA1 $f > $f.gpgsha1
gpg --print-md MD5 $f > $f.gpgmd5
md5sum $f > $f.md5
sha1sum $f > $f.sha1
sha256sum $f > $f.sha256
done
popd
{{code}}
and do the same for the convenience binaries.
> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
> Affects Versions: 6.21.0, 7.2.0
> Reporter: Martin Grigorov
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
> The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
