Got it! Makes sense. On Mon, Oct 17, 2016 at 1:54 PM, Andy LoPresto <[email protected]> wrote:
> That should read “please use *at least* SHA-256 as the hash algorithm.” > SHA-512 and SHA-384 are preferred. > > Andy LoPresto > [email protected] > *[email protected] <[email protected]>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Oct 17, 2016, at 10:53 AM, Andy LoPresto <[email protected]> wrote: > > Joe, > > Thanks for preparing the release. Please send the “helper” email to > accompany this (example from 1.0.0 here [1]) and include the SHA-256 hash > of the release ZIP as well. > > Similarly, when you perform the GPG signing activity, please use SHA-256 > as the hash algorithm. Currently you are configured to use SHA-1. You can > find instructions for changing that here [2]. > > hw12203:/Users/alopresto/Workspace/scratch/release_verification/nifi-0.7.1 > (master) alopresto > 🔓 17s @ 10:46:02 $ gpg --verify -vvv nifi-0.7.1-source-release.zip.asc > gpg: using character set `utf-8' > gpg: armor: BEGIN PGP SIGNATURE > Version: GnuPG v1 > :signature packet: algo 1, keyid 941C14437D84EBD6 > version 4, created 1476642289, md5len 0, sigclass 0x00 > digest algo 2, begin of digest f1 9b > hashed subpkt 2 len 4 (sig created 2016-10-16) > subpkt 16 len 8 (issuer key ID 941C14437D84EBD6) > data: [4096 bits] > gpg: armor header: > gpg: assuming signed data in 'nifi-0.7.1-source-release.zip' > gpg: Signature made Sun Oct 16 11:24:49 2016 PDT using RSA key ID 7D84EBD6 > gpg: using PGP trust model > gpg: key 00D026C4: accepted as trusted key > gpg: key 51BF2B79: accepted as trusted key > gpg: key 2F7DEF69: accepted as trusted key > gpg: Good signature from "Joseph Skora (CODE SIGNING KEY) < > [email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 6B4E F25B 89D2 D330 2D60 1BD3 941C 1443 7D84 EBD6 > gpg: binary signature, digest algorithm SHA1 > > Thanks. > > [1] https://lists.apache.org/thread.html/bc20784d6f8df22277c196e15f33e8 > 5cee4a0f409761a42acee54999@%3Cdev.nifi.apache.org%3E > [2] https://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1 > > Andy LoPresto > [email protected] > *[email protected] <[email protected]>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Oct 16, 2016, at 8:32 PM, Joe Skora <[email protected]> wrote: > > Hello, > > I am pleased to be calling this vote for the source release of Apache NiFi > nifi-0.7.1. > > The source zip, including signatures, digests, etc. can be found at: > https://repository.apache.org/content/repositories/orgapachenifi-1091 > > The Git tag is nifi-0.7.1-RC1 > The Git commit ID is 421d5e61553e5fa160af9e0cc9fdc237af46906d > * > https://git-wip-us.apache.org/repos/asf?p=nifi.git;a=commit;h= > 421d5e61553e5fa160af9e0cc9fdc237af46906d > * > https://github.com/apache/nifi/commit/421d5e61553e5fa160af9e0cc9fdc2 > 37af46906d > > Checksums of nifi-0.7.1-source-release.zip: > MD5: a15fc40ec887d82440f2de05ef71f810 > SHA1: 1565f4e123478e91fd26022b939d9d2f6ea6a2cf > > Release artifacts are signed with the following key: > https://people.apache.org/keys/committer/jskora.asc > > KEYS file available here: > https://dist.apache.org/repos/dist/release/nifi/KEYS > > 41 issues were closed/resolved for this release: > https://issues.apache.org/jira/secure/ReleaseNote.jspa? > projectId=12316020&version=12338025 > > Release note highlights can be found here: > https://cwiki.apache.org/confluence/display/NIFI/ > Release+Notes#ReleaseNotes-Version0.7.1 > > The vote will be open for 72 hours. > Please download the release candidate and evaluate the necessary items > including checking hashes, signatures, build from source, and test. The > please vote: > > [ ] +1 Release this package as nifi-0.7.1 > [ ] +0 no opinion > [ ] -1 Do not release this package because because... > > > >
