[PATCH] build: use sha256sum instead of sha1sum to sign releases
David Bremner
david at tethera.net
Wed Mar 1 16:44:47 PST 2017
SHA1 is weak/broken.
---
Makefile.global | 4 ++--
Makefile.local | 9 ++++-----
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index d8f335af..7a78e9b5 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA1_FILE=$(TAR_FILE).sha1
-GPG_FILE=$(SHA1_FILE).asc
+SHA256_FILE=$(TAR_FILE).sha256
+GPG_FILE=$(SHA256_FILE).asc
PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 3548ed96..d2ef3e08 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -36,12 +36,11 @@ $(TAR_FILE):
gzip < $(TAR_FILE).tmp > $(TAR_FILE)
@echo "Source is ready for release in $(TAR_FILE)"
-$(SHA1_FILE): $(TAR_FILE)
- sha1sum $^ > $@
+$(SHA256_FILE): $(TAR_FILE)
+ sha256sum $^ > $@
-$(GPG_FILE): $(SHA1_FILE)
- @echo "Please enter your GPG password to sign the checksum."
- gpg --armor --sign $^
+$(GPG_FILE): $(SHA256_FILE)
+ gpg --armor --sign $^
.PHONY: dist
dist: $(TAR_FILE)
--
2.11.0
More information about the notmuch
mailing list