[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16189654#comment-16189654 ] ASF subversion and git services commented on WICKET-6074: - Commit 49df0e591db940ba86ccdd0830df0a814da9b6cc in wicket's branch refs/heads/WICKET-6105-java.time from [~bitstorm] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=49df0e5 ] WICKET-6074 Use SHA 256+ for signing the release artefacts > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16184267#comment-16184267 ] Maxim Solodovnik commented on WICKET-6074: -- Thanks a lot! :) > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16184193#comment-16184193 ] ASF subversion and git services commented on WICKET-6074: - Commit 4b76ebb84a6e13fd2e7e120e07e96d5544b0966d in wicket's branch refs/heads/wicket-7.x from [~bitstorm] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=4b76ebb ] WICKET-6074 Use SHA 256+ for signing the release artefacts > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16184164#comment-16184164 ] Martin Grigorov commented on WICKET-6074: - Looks good to me! > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16184125#comment-16184125 ] Andrea Del Bene commented on WICKET-6074: - If it's ok I will backport to 7.x > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16184124#comment-16184124 ] ASF subversion and git services commented on WICKET-6074: - Commit 49df0e591db940ba86ccdd0830df0a814da9b6cc in wicket's branch refs/heads/master from [~bitstorm] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=49df0e5 ] WICKET-6074 Use SHA 256+ for signing the release artefacts > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183976#comment-16183976 ] Martin Grigorov commented on WICKET-6074: - Sha256 is enough. > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183955#comment-16183955 ] Maxim Solodovnik commented on WICKET-6074: -- AFAIK there should be verifiable signatures And project can decide which should be used (at Apache OpenMeetings we providing sha256, and PGP) BTW I was unable to find the place where KEYS files is stored > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183929#comment-16183929
]
Andrea Del Bene commented on WICKET-6074:
-
{quote}Also, MD5 is not really needed. Recently there was similar discussion at
users@infra.a.o. It is up to the projects whether to use it or not.{quote}
Do they tell which signatures are required? [Official
documentation|http://www.apache.org/dev/release-distribution#sigs-and-sums] is
not very clear about it
> Use SHA 256+ for signing the release artefacts
> --
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
>Affects Versions: 6.21.0, 7.2.0
>Reporter: Martin Grigorov
>Assignee: Andrea Del Bene
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
>sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183914#comment-16183914 ] Martin Grigorov commented on WICKET-6074: - Please also rework the GPG generated sums to non-GPG. It is hard to verify them automatically. Using shaXYZsum and md5sum to create/verify them is much easier. Also, MD5 is not really needed. Recently there was similar discussion at users@infra.a.o. It is up to the projects whether to use it or not. > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183903#comment-16183903
]
Andrea Del Bene commented on WICKET-6074:
-
I'm going to add the sha-256 generation (' sha256sum $f > $f.sha256') to the
currently available signatures. This should be ok, right?
> Use SHA 256+ for signing the release artefacts
> --
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
>Affects Versions: 6.21.0, 7.2.0
>Reporter: Martin Grigorov
>Assignee: Andrea Del Bene
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
>sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16178293#comment-16178293 ] Maxim Solodovnik commented on WICKET-6074: -- Maybe it's time to use new type of signatures in 8.0.0? > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16011672#comment-16011672
]
Maxim Solodovnik commented on WICKET-6074:
--
i would say current sums can hardly be checked using `gpg`:
{code}
gpg --print-md MD5 apache-wicket-8.0.0-M6.tar.gz | diff
apache-wicket-8.0.0-M6.tar.gz.md5 -
1,2c1
< target/dist/apache-wicket-8.0.0-M6.tar.gz:
< E0 D7 6A D0 90 CF 3F 4F B1 3E D4 81 47 34 08 9F
---
> apache-wicket-8.0.0-M6.tar.gz: E0 D7 6A D0 90 CF 3F 4F B1 3E D4 81 47 34 08
> 9F
{code}
I would VOTE for changing generation of the sums
> Use SHA 256+ for signing the release artefacts
> --
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
>Affects Versions: 6.21.0, 7.2.0
>Reporter: Martin Grigorov
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
>sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15942218#comment-15942218 ] Maxim Solodovnik commented on WICKET-6074: -- This issue seems to be too silent :( Maybe it's time to merge changes to 7.x/8.x ? > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15856897#comment-15856897
]
Martin Grigorov commented on WICKET-6074:
-
Do we really need all kinds of sums ?
{code}
gpg --armor --detach-sign --use-agent --sign $f
md5sum $f > $f.md5
sha256sum $f > $f.sha256
{code}
is enough.
> Use SHA 256+ for signing the release artefacts
> --
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
>Affects Versions: 6.21.0, 7.2.0
>Reporter: Martin Grigorov
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
>sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15855709#comment-15855709 ] Maxim Solodovnik commented on WICKET-6074: -- OK with me :) I'm not sure why to keep $f.gpg* > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15855650#comment-15855650
]
Martijn Dashorst commented on WICKET-6074:
--
First of all, you should verify the release by the GPG signed signature:
{{code}}
gpg --verify apache-wicket-*.tar.gz.asc
{{code}}
Now for the md5 and sha1 sums, I agree that the gpg format is strange due to
the extra new line between the path and checksum. We should at least change the
release script to pushd and popd to the dist folder before generating the
signatures, this will eliminate the target/dist/ from the path and the
extraneous new line.
Then it is just a
{{code}}
gpg --print-md MD5 apache-wicket-8.0.0-M4.tar.gz | diff
apache-wicket-8.0.0-M4.tar.gz.md5 -
{{code}}
away to verify the release. We can *also* change the extension of the gpg
message digest to .gpgmd5 and add md5sum signatures for BSD like verification.
I propose the following change to the release script:
{{code}}
pushd target/dist
for f in apache*.{gz,zip}
do
gpg --armor --detach-sign --use-agent --sign $f
gpg --print-md SHA1 $f > $f.gpgsha1
gpg --print-md MD5 $f > $f.gpgmd5
md5sum $f > $f.md5
sha1sum $f > $f.sha1
sha256sum $f > $f.sha256
done
popd
{{code}}
and do the same for the convenience binaries.
> Use SHA 256+ for signing the release artefacts
> --
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
>Affects Versions: 6.21.0, 7.2.0
>Reporter: Martin Grigorov
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
>sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15855449#comment-15855449 ] Martin Grigorov commented on WICKET-6074: - I fully agree with Maxim! The verification should be automated. No one should spend his time on doing all this manually! The real problem is that no one even checks those now! One month ago Henk Penning's scripts found problems in Wicket's checksums! If there is a way to make automated checks with gpg then let's document it, otherwise let's switch to md5sum and sha256sum! > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15855211#comment-15855211
]
Maxim Solodovnik commented on WICKET-6074:
--
OK, here is the process I'm using to check signatures
cat apache-wicket-8.0.0-M4.tar.gz.sha
sha1sum apache-wicket-8.0.0-M4.tar.gz
compare output by eye
{code}
target/dist/apache-wicket-8.0.0-M4.tar.gz:
A903 2884 75D4 0D93 1669 BB3D AB91 8744 1954 AB52
a903288475d40d931669bb3dab9187441954ab52 apache-wicket-8.0.0-M4.tar.gz
{code}
Normally machine generated sequences should be machine validatable
After proposed changes the process will be:
{code}
sha256sum -c apache-wicket-8.0.0-M4.tar.gz.sha256
apache-wicket-8.0.0-M4.tar.gz: OK
{code}
(SHA256 was generated as an example)
same with md5
Maybe I'm using wrong tools to check the sum?
> Use SHA 256+ for signing the release artefacts
> --
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
>Affects Versions: 6.21.0, 7.2.0
>Reporter: Martin Grigorov
>Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
>sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15853895#comment-15853895 ] Martijn Dashorst commented on WICKET-6074: -- Please explain why is it extremely hard and not just hard or merely inconvenient? You already need to use gpg to verify the download of the release based on the private/public key signing. It is one installation (I'd preferably install it through a package management system like homebrew (macOS) or chocolatey/oneget (Windows)) away. You need maven, java, an IDE, etc. to be able to develop with Wicket. GPG is just one of the tools you need and is available for all platforms, so it is rather well suited as the default key generator (we already must sign the release with a GPG key pair) and digest checksum(s). > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15853664#comment-15853664 ] Maxim Solodovnik commented on WICKET-6074: -- According to Apache rules: http://www.apache.org/legal/release-policy.html#release-approval before VOTE +1 every PMC need to check checksums and signatures It is extremely hard for Wicket :( Using sha256sum will improve the process a lot. Maven can be used to create signatures GPG - maven-gpg-plugin sha256 - net.ju-n.maven.plugins:checksum-maven-plugin (with shasumSummaryFile option) > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15811604#comment-15811604 ] Andrea Del Bene commented on WICKET-6074: - md5 is used by automatic checker so we must keep it: http://mirror-vm.apache.org/~henkp/checker/faq.html Here is the release document that requires to produce a .md5 file and a .asc one: https://www.apache.org/dev/release-signing.html#basic-facts > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15108714#comment-15108714 ] Martin Grigorov commented on WICKET-6074: - Using the non-gpg programs to create the .md5 and .sha files helps with the verification. Using non-standard way, like GPG, makes it cumbersome to verify. And I guess this is part of the reason why no one even checks this during voting. Now Maxim tried to verify it and it failed for him. I don't see why to keep using GPG digests even if they are very common in Apache projects. Even the .sha name should be renamed to .sha1 or .sha256 or whatever algorithm is used. Otherwise I have to try all of the possible options to be able to verify it. > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15108608#comment-15108608 ] Martijn Dashorst commented on WICKET-6074: -- I wouldn't want to change anything. Using gpg digests is common across ASF projects and while md5 is not good for hashing passwords, it is suitable for a CRC checksum (i.e. is the download correct). For security one should explicitly check the GPG asc signature files against the GPG keys we use to sign the release. > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6074) Use SHA 256+ for signing the release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103651#comment-15103651 ] Martin Grigorov commented on WICKET-6074: - [~dashorst] Do you want me to do the changes for you? I'm just not sure whether you have these programs on your OSX. > Use SHA 256+ for signing the release artefacts > -- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release >Affects Versions: 6.21.0, 7.2.0 >Reporter: Martin Grigorov >Assignee: Martijn Dashorst > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS >The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), >sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.3.4#6332)
