[PATCH] build: use sha256sum instead of sha1sum to sign releases

Tomi Ollila tomi.ollila at iki.fi
Thu Mar 2 07:10:46 PST 2017


On Thu, Mar 02 2017, David Bremner <david at tethera.net> wrote:

> SHA1 is weak/broken.
> ---

I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
as a commit message.

Anyway, LGTM.

Tomi

PS: this is sha-2 256 -- that makes me wonder what will be the file suffix
for sha-3 256 (or for any other bits...)


>  Makefile.global | 4 ++--
>  Makefile.local  | 9 ++++-----
>  2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/Makefile.global b/Makefile.global
> index d8f335af..7a78e9b5 100644
> --- a/Makefile.global
> +++ b/Makefile.global
> @@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
>  TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
>  ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
>  DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
> -SHA1_FILE=$(TAR_FILE).sha1
> -GPG_FILE=$(SHA1_FILE).asc
> +SHA256_FILE=$(TAR_FILE).sha256
> +GPG_FILE=$(SHA256_FILE).asc
>  
>  PV_FILE=bindings/python/notmuch/version.py
>  
> diff --git a/Makefile.local b/Makefile.local
> index 3548ed96..d2ef3e08 100644
> --- a/Makefile.local
> +++ b/Makefile.local
> @@ -36,12 +36,11 @@ $(TAR_FILE):
>  	gzip < $(TAR_FILE).tmp > $(TAR_FILE)
>  	@echo "Source is ready for release in $(TAR_FILE)"
>  
> -$(SHA1_FILE): $(TAR_FILE)
> -	sha1sum $^ > $@
> +$(SHA256_FILE): $(TAR_FILE)
> +	sha256sum $^ > $@
>  
> -$(GPG_FILE): $(SHA1_FILE)
> -	@echo "Please enter your GPG password to sign the checksum."
> -	gpg --armor --sign $^ 
> +$(GPG_FILE): $(SHA256_FILE)
> +	gpg --armor --sign $^
>  
>  .PHONY: dist
>  dist: $(TAR_FILE)
> -- 
> 2.11.0
>
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch


More information about the notmuch mailing list