That should read “please use *at least* SHA-256 as the hash algorithm.” SHA-512 and SHA-384 are preferred.
Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Oct 17, 2016, at 10:53 AM, Andy LoPresto <alopre...@apache.org> wrote: > > Joe, > > Thanks for preparing the release. Please send the “helper” email to accompany > this (example from 1.0.0 here [1]) and include the SHA-256 hash of the > release ZIP as well. > > Similarly, when you perform the GPG signing activity, please use SHA-256 as > the hash algorithm. Currently you are configured to use SHA-1. You can find > instructions for changing that here [2]. > > hw12203:/Users/alopresto/Workspace/scratch/release_verification/nifi-0.7.1 > (master) alopresto > 🔓 17s @ 10:46:02 $ gpg --verify -vvv nifi-0.7.1-source-release.zip.asc > gpg: using character set `utf-8' > gpg: armor: BEGIN PGP SIGNATURE > Version: GnuPG v1 > :signature packet: algo 1, keyid 941C14437D84EBD6 > version 4, created 1476642289, md5len 0, sigclass 0x00 > digest algo 2, begin of digest f1 9b > hashed subpkt 2 len 4 (sig created 2016-10-16) > subpkt 16 len 8 (issuer key ID 941C14437D84EBD6) > data: [4096 bits] > gpg: armor header: > gpg: assuming signed data in 'nifi-0.7.1-source-release.zip' > gpg: Signature made Sun Oct 16 11:24:49 2016 PDT using RSA key ID 7D84EBD6 > gpg: using PGP trust model > gpg: key 00D026C4: accepted as trusted key > gpg: key 51BF2B79: accepted as trusted key > gpg: key 2F7DEF69: accepted as trusted key > gpg: Good signature from "Joseph Skora (CODE SIGNING KEY) <jsk...@apache.org > <mailto:jsk...@apache.org>>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 6B4E F25B 89D2 D330 2D60 1BD3 941C 1443 7D84 EBD6 > gpg: binary signature, digest algorithm SHA1 > > Thanks. > > [1] > https://lists.apache.org/thread.html/bc20784d6f8df22277c196e15f33e85cee4a0f409761a42acee54999@%3Cdev.nifi.apache.org%3E > > <https://lists.apache.org/thread.html/bc20784d6f8df22277c196e15f33e85cee4a0f409761a42acee54999@%3Cdev.nifi.apache.org%3E> > [2] https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1 > <https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1> > > Andy LoPresto > alopre...@apache.org <mailto:alopre...@apache.org> > alopresto.apa...@gmail.com <mailto:alopresto.apa...@gmail.com> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >> On Oct 16, 2016, at 8:32 PM, Joe Skora <jsk...@apache.org >> <mailto:jsk...@apache.org>> wrote: >> >> Hello, >> >> I am pleased to be calling this vote for the source release of Apache NiFi >> nifi-0.7.1. >> >> The source zip, including signatures, digests, etc. can be found at: >> https://repository.apache.org/content/repositories/orgapachenifi-1091 >> <https://repository.apache.org/content/repositories/orgapachenifi-1091> >> >> The Git tag is nifi-0.7.1-RC1 >> The Git commit ID is 421d5e61553e5fa160af9e0cc9fdc237af46906d >> * >> https://git-wip-us.apache.org/repos/asf?p=nifi.git;a=commit;h=421d5e61553e5fa160af9e0cc9fdc237af46906d >> * >> https://github.com/apache/nifi/commit/421d5e61553e5fa160af9e0cc9fdc237af46906d >> >> Checksums of nifi-0.7.1-source-release.zip: >> MD5: a15fc40ec887d82440f2de05ef71f810 >> SHA1: 1565f4e123478e91fd26022b939d9d2f6ea6a2cf >> >> Release artifacts are signed with the following key: >> https://people.apache.org/keys/committer/jskora.asc >> >> KEYS file available here: >> https://dist.apache.org/repos/dist/release/nifi/KEYS >> >> 41 issues were closed/resolved for this release: >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316020&version=12338025 >> >> Release note highlights can be found here: >> https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version0.7.1 >> >> The vote will be open for 72 hours. >> Please download the release candidate and evaluate the necessary items >> including checking hashes, signatures, build from source, and test. The >> please vote: >> >> [ ] +1 Release this package as nifi-0.7.1 >> [ ] +0 no opinion >> [ ] -1 Do not release this package because because... >
signature.asc
Description: Message signed with OpenPGP using GPGMail