Got it!  Makes sense.

On Mon, Oct 17, 2016 at 1:54 PM, Andy LoPresto <alopre...@apache.org> wrote:

> That should read “please use *at least* SHA-256 as the hash algorithm.”
> SHA-512 and SHA-384 are preferred.
>
> Andy LoPresto
> alopre...@apache.org
> *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Oct 17, 2016, at 10:53 AM, Andy LoPresto <alopre...@apache.org> wrote:
>
> Joe,
>
> Thanks for preparing the release. Please send the “helper” email to
> accompany this (example from 1.0.0 here [1]) and include the SHA-256 hash
> of the release ZIP as well.
>
> Similarly, when you perform the GPG signing activity, please use SHA-256
> as the hash algorithm. Currently you are configured to use SHA-1. You can
> find instructions for changing that here [2].
>
> hw12203:/Users/alopresto/Workspace/scratch/release_verification/nifi-0.7.1
> (master) alopresto
> 🔓 17s @ 10:46:02 $ gpg --verify -vvv nifi-0.7.1-source-release.zip.asc
> gpg: using character set `utf-8'
> gpg: armor: BEGIN PGP SIGNATURE
> Version: GnuPG v1
> :signature packet: algo 1, keyid 941C14437D84EBD6
> version 4, created 1476642289, md5len 0, sigclass 0x00
> digest algo 2, begin of digest f1 9b
> hashed subpkt 2 len 4 (sig created 2016-10-16)
> subpkt 16 len 8 (issuer key ID 941C14437D84EBD6)
> data: [4096 bits]
> gpg: armor header:
> gpg: assuming signed data in 'nifi-0.7.1-source-release.zip'
> gpg: Signature made Sun Oct 16 11:24:49 2016 PDT using RSA key ID 7D84EBD6
> gpg: using PGP trust model
> gpg: key 00D026C4: accepted as trusted key
> gpg: key 51BF2B79: accepted as trusted key
> gpg: key 2F7DEF69: accepted as trusted key
> gpg: Good signature from "Joseph Skora (CODE SIGNING KEY) <
> jsk...@apache.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 6B4E F25B 89D2 D330 2D60  1BD3 941C 1443 7D84 EBD6
> gpg: binary signature, digest algorithm SHA1
>
> Thanks.
>
> [1] https://lists.apache.org/thread.html/bc20784d6f8df22277c196e15f33e8
> 5cee4a0f409761a42acee54999@%3Cdev.nifi.apache.org%3E
> [2] https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1
>
> Andy LoPresto
> alopre...@apache.org
> *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Oct 16, 2016, at 8:32 PM, Joe Skora <jsk...@apache.org> wrote:
>
> Hello,
>
> I am pleased to be calling this vote for the source release of Apache NiFi
> nifi-0.7.1.
>
> The source zip, including signatures, digests, etc. can be found at:
> https://repository.apache.org/content/repositories/orgapachenifi-1091
>
> The Git tag is nifi-0.7.1-RC1
> The Git commit ID is 421d5e61553e5fa160af9e0cc9fdc237af46906d
> *
> https://git-wip-us.apache.org/repos/asf?p=nifi.git;a=commit;h=
> 421d5e61553e5fa160af9e0cc9fdc237af46906d
> *
> https://github.com/apache/nifi/commit/421d5e61553e5fa160af9e0cc9fdc2
> 37af46906d
>
> Checksums of nifi-0.7.1-source-release.zip:
> MD5: a15fc40ec887d82440f2de05ef71f810
> SHA1: 1565f4e123478e91fd26022b939d9d2f6ea6a2cf
>
> Release artifacts are signed with the following key:
> https://people.apache.org/keys/committer/jskora.asc
>
> KEYS file available here:
> https://dist.apache.org/repos/dist/release/nifi/KEYS
>
> 41 issues were closed/resolved for this release:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=12316020&version=12338025
>
> Release note highlights can be found here:
> https://cwiki.apache.org/confluence/display/NIFI/
> Release+Notes#ReleaseNotes-Version0.7.1
>
> The vote will be open for 72 hours.
> Please download the release candidate and evaluate the necessary items
> including checking hashes, signatures, build from source, and test.  The
> please vote:
>
> [ ] +1 Release this package as nifi-0.7.1
> [ ] +0 no opinion
> [ ] -1 Do not release this package because because...
>
>
>
>

Reply via email to