[PATCH] build: use sha256sum instead of sha1sum to sign releases
Tomi Ollila
tomi.ollila at iki.fi
Thu Mar 2 07:10:46 PST 2017
On Thu, Mar 02 2017, David Bremner <david at tethera.net> wrote:
> SHA1 is weak/broken.
> ---
I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
as a commit message.
Anyway, LGTM.
Tomi
PS: this is sha-2 256 -- that makes me wonder what will be the file suffix
for sha-3 256 (or for any other bits...)
> Makefile.global | 4 ++--
> Makefile.local | 9 ++++-----
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/Makefile.global b/Makefile.global
> index d8f335af..7a78e9b5 100644
> --- a/Makefile.global
> +++ b/Makefile.global
> @@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
> TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
> ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
> DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
> -SHA1_FILE=$(TAR_FILE).sha1
> -GPG_FILE=$(SHA1_FILE).asc
> +SHA256_FILE=$(TAR_FILE).sha256
> +GPG_FILE=$(SHA256_FILE).asc
>
> PV_FILE=bindings/python/notmuch/version.py
>
> diff --git a/Makefile.local b/Makefile.local
> index 3548ed96..d2ef3e08 100644
> --- a/Makefile.local
> +++ b/Makefile.local
> @@ -36,12 +36,11 @@ $(TAR_FILE):
> gzip < $(TAR_FILE).tmp > $(TAR_FILE)
> @echo "Source is ready for release in $(TAR_FILE)"
>
> -$(SHA1_FILE): $(TAR_FILE)
> - sha1sum $^ > $@
> +$(SHA256_FILE): $(TAR_FILE)
> + sha256sum $^ > $@
>
> -$(GPG_FILE): $(SHA1_FILE)
> - @echo "Please enter your GPG password to sign the checksum."
> - gpg --armor --sign $^
> +$(GPG_FILE): $(SHA256_FILE)
> + gpg --armor --sign $^
>
> .PHONY: dist
> dist: $(TAR_FILE)
> --
> 2.11.0
>
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
More information about the notmuch
mailing list