unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#55666: enhancement request - SHA-256 for emacs downloads
@ 2022-05-26 17:47 Ali Elshishini
  2022-05-27 10:59 ` Lars Ingebrigtsen
  0 siblings, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-26 17:47 UTC (permalink / raw)
  To: 55666

[-- Attachment #1: Type: text/plain, Size: 428 bytes --]

Hi

May you please include a list of SHA-256 hashes for the downloads in
https://www.gnu.org/software/emacs/download.html

This will provide an easy and secure way to verify downloads
Please note that the experience to verify the signature on windows is very poor
and it for me at least ended up with the file nor being verified because of missing public key

A SHA-256 hash will be a simple solution

Thanks
Ali


[-- Attachment #2: Type: text/html, Size: 1152 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-26 17:47 bug#55666: enhancement request - SHA-256 for emacs downloads Ali Elshishini
@ 2022-05-27 10:59 ` Lars Ingebrigtsen
  2022-05-27 11:46   ` Ali Elshishini
  2022-05-27 12:28   ` Eli Zaretskii
  0 siblings, 2 replies; 16+ messages in thread
From: Lars Ingebrigtsen @ 2022-05-27 10:59 UTC (permalink / raw)
  To: Ali Elshishini; +Cc: 55666

Ali Elshishini <shishini@outlook.com> writes:

> May you please include a list of SHA-256 hashes for the downloads in 
> https://www.gnu.org/software/emacs/download.html
>
> This will provide an easy and secure way to verify downloads
> Please note that the experience to verify the signature on windows is very poor
> and it for me at least ended up with the file nor being verified because of missing
> public key 
>
> A SHA-256 hash will be a simple solution

That would require people to edit that web page every time they generate
a package, which would be error prone and require too much work of the
people who build the packages.

The packages are signed, which I think should be more than sufficient,
so I'm closing this bug report.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-27 10:59 ` Lars Ingebrigtsen
@ 2022-05-27 11:46   ` Ali Elshishini
  2022-05-29  7:42     ` Corwin Brust
  2022-05-27 12:28   ` Eli Zaretskii
  1 sibling, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-27 11:46 UTC (permalink / raw)
  To: Lars Ingebrigtsen; +Cc: 55666@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]

A checksum file (a file containing all checksums) can be included in the ftp folders
(each folder can have one checksums file for the files it contains)

This way the web page won't have to be updated with every release

Otherwise if you absolutely can't,  please add clear instructions on  how to verify the downloads using the signatures, I personally tried my best and still failed

Thanks
Ali

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Lars Ingebrigtsen <larsi@gnus.org>
Sent: Friday, May 27, 2022 6:59:25 AM
To: Ali Elshishini <shishini@outlook.com>
Cc: 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

Ali Elshishini <shishini@outlook.com> writes:

> May you please include a list of SHA-256 hashes for the downloads in
> https://www.gnu.org/software/emacs/download.html
>
> This will provide an easy and secure way to verify downloads
> Please note that the experience to verify the signature on windows is very poor
> and it for me at least ended up with the file nor being verified because of missing
> public key
>
> A SHA-256 hash will be a simple solution

That would require people to edit that web page every time they generate
a package, which would be error prone and require too much work of the
people who build the packages.

The packages are signed, which I think should be more than sufficient,
so I'm closing this bug report.

--
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

[-- Attachment #2: Type: text/html, Size: 2653 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-27 10:59 ` Lars Ingebrigtsen
  2022-05-27 11:46   ` Ali Elshishini
@ 2022-05-27 12:28   ` Eli Zaretskii
  2022-05-28  0:43     ` Ali Elshishini
  1 sibling, 1 reply; 16+ messages in thread
From: Eli Zaretskii @ 2022-05-27 12:28 UTC (permalink / raw)
  To: Lars Ingebrigtsen; +Cc: 55666, shishini

> Cc: 55666@debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi@gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
> 
> Ali Elshishini <shishini@outlook.com> writes:
> 
> > May you please include a list of SHA-256 hashes for the downloads in 
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key 
> >
> > A SHA-256 hash will be a simple solution
> 
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
> 
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.

In addition, one can find the SHA values in the announcements made on
info-gnu-emacs.  Here's the one about Emacs 28.1:

  https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html

You can similarly search for announcements of the older releases.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-27 12:28   ` Eli Zaretskii
@ 2022-05-28  0:43     ` Ali Elshishini
  2022-05-28  6:15       ` Eli Zaretskii
  0 siblings, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-28  0:43 UTC (permalink / raw)
  To: Eli Zaretskii, Lars Ingebrigtsen; +Cc: 55666@debbugs.gnu.org


[-- Attachment #1.1: Type: text/plain, Size: 2598 bytes --]

Hi Eli

Thanks for pointing out the announcement email
Unfortunately it doesn't include the SHA hashes for the windows files

Also verify the signature on windows I am not sure if this is the expected output
for me look like it failed

From command line

PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz@gnu.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key
PS C:\downloads>

From UI

[cid:ffde0eec-a938-43f4-acc5-c100d4e99514]

I think adding the SHA hashes somewhere remains a valuable addition
using and verifying signature on windows is more complicated than it needs to be

Regards
Ali

________________________________
From: Eli Zaretskii <eliz@gnu.org>
Sent: May 27, 2022 8:28 AM
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: shishini@outlook.com <shishini@outlook.com>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

> Cc: 55666@debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi@gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
>
> Ali Elshishini <shishini@outlook.com> writes:
>
> > May you please include a list of SHA-256 hashes for the downloads in
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key
> >
> > A SHA-256 hash will be a simple solution
>
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
>
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.

In addition, one can find the SHA values in the announcements made on
info-gnu-emacs.  Here's the one about Emacs 28.1:

  https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html

You can similarly search for announcements of the older releases.

[-- Attachment #1.2: Type: text/html, Size: 4592 bytes --]

[-- Attachment #2: image.png --]
[-- Type: image/png, Size: 18749 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28  0:43     ` Ali Elshishini
@ 2022-05-28  6:15       ` Eli Zaretskii
  2022-05-28 17:14         ` Ali Elshishini
  0 siblings, 1 reply; 16+ messages in thread
From: Eli Zaretskii @ 2022-05-28  6:15 UTC (permalink / raw)
  To: Ali Elshishini, Corwin Brust; +Cc: larsi, 55666

> From: Ali Elshishini <shishini@outlook.com>
> CC: "55666@debbugs.gnu.org" <55666@debbugs.gnu.org>
> Date: Sat, 28 May 2022 00:43:28 +0000
> 
> Thanks for pointing out the announcement email
> Unfortunately it doesn't include the SHA hashes for the windows files 

You never said in your original message that this is about the Windows
binaries.

The Windows precompiled binaries are produced by volunteers who are
only loosely associated with the Emacs project.  The project releases
Emacs as source tarballs, and the SHA checksums for that are in the
announcement.  I've CC'ed Corwin, who produced the latest binaries of
Emacs 28.1.

For the Windows binaries, providing the SHA checksums is entirely up
to the person(s) who makes the binaries available.

> Also verify the signature on windows I am not sure if this is the expected output
> for me look like it failed 
> 
> >From command line
> 
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys
> 17E90D521672C04631B1183EE78DAE0F3115E06B 
> gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz@gnu.org>" not changed
> gpg: Total number processed: 1
> gpg:              unchanged: 1
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
> gpg: assuming signed data in '.\emacs-28.1.zip'
> gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
> gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
> gpg: Can't check signature: No public key
> PS C:\downloads>

You are using the wrong GPG key: my key was used to sign the source
tarballs, not the Windows binary zip files.  The Windows binaries were
signed by Corwin Brust's key as the Download page says.  You need to
fetch that key, not mine.

> I think adding the SHA hashes somewhere remains a valuable addition
> using and verifying signature on windows is more complicated than it needs to be

That may be so, but this activity is based on volunteers doing this on
their free time.  We can only ask them to do what their time and
resources allow.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28  6:15       ` Eli Zaretskii
@ 2022-05-28 17:14         ` Ali Elshishini
  2022-05-28 19:06           ` Eli Zaretskii
  0 siblings, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-28 17:14 UTC (permalink / raw)
  To: Eli Zaretskii, Corwin Brust; +Cc: larsi@gnus.org, 55666@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]


Hi Corwin,

Can you please consider including a SHA-256 hash for the windows binaries
Also can you please share your version of this command

gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B

So we may be able to verify the signature
Or add any other instruction on how to verify the signature on Windows

And thanks ELI for all the info you provided

Thanks
Ali



[-- Attachment #2: Type: text/html, Size: 2632 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28 17:14         ` Ali Elshishini
@ 2022-05-28 19:06           ` Eli Zaretskii
  2022-05-28 19:17             ` Ali Elshishini
  0 siblings, 1 reply; 16+ messages in thread
From: Eli Zaretskii @ 2022-05-28 19:06 UTC (permalink / raw)
  To: Ali Elshishini; +Cc: larsi, corwin, 55666

> From: Ali Elshishini <shishini@outlook.com>
> CC: "larsi@gnus.org" <larsi@gnus.org>, "55666@debbugs.gnu.org"
> 	<55666@debbugs.gnu.org>
> Date: Sat, 28 May 2022 17:14:26 +0000
> 
> Also can you please share your version of this command 
> 
> gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B

That's easy: you need to use the correct key signature.  The signature
is shown on the download page:

   ECE7 7CF4 17C7 6C1A CFCE 7C2B 5B61 3551 1580 F007






^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28 19:06           ` Eli Zaretskii
@ 2022-05-28 19:17             ` Ali Elshishini
  2022-05-28 19:27               ` Eli Zaretskii
  0 siblings, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-28 19:17 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: larsi@gnus.org, corwin@bru.st, 55666@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]

Thanks All

But again, verifying the signature on windows doesn't seem to instill confidence at all
Corvwin  doesnt have a certified key
I am not a certificate expert, so I dont know how all of this works

So,  I still hope Corwin or the Windows Binaries volunteers will still be able to provide
SHA-256 hashes

PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: key 5B6135511580F007: public key "Corwin Brust <corwin@bru.st>" imported
gpg: Total number processed: 1
gpg:               imported: 1

PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Good signature from "Corwin Brust <corwin@bru.st>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ECE7 7CF4 17C7 6C1A CFCE  7C2B 5B61 3551 1580 F007


Regards
Ali
________________________________
From: Eli Zaretskii <eliz@gnu.org>
Sent: May 28, 2022 3:06 PM
To: Ali Elshishini <shishini@outlook.com>
Cc: corwin@bru.st <corwin@bru.st>; larsi@gnus.org <larsi@gnus.org>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

> From: Ali Elshishini <shishini@outlook.com>
> CC: "larsi@gnus.org" <larsi@gnus.org>, "55666@debbugs.gnu.org"
>        <55666@debbugs.gnu.org>
> Date: Sat, 28 May 2022 17:14:26 +0000
>
> Also can you please share your version of this command
>
> gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B

That's easy: you need to use the correct key signature.  The signature
is shown on the download page:

   ECE7 7CF4 17C7 6C1A CFCE 7C2B 5B61 3551 1580 F007


[-- Attachment #2: Type: text/html, Size: 3606 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28 19:17             ` Ali Elshishini
@ 2022-05-28 19:27               ` Eli Zaretskii
  2022-05-28 20:31                 ` Ali Elshishini
  0 siblings, 1 reply; 16+ messages in thread
From: Eli Zaretskii @ 2022-05-28 19:27 UTC (permalink / raw)
  To: Ali Elshishini; +Cc: larsi, corwin, 55666

> From: Ali Elshishini <shishini@outlook.com>
> CC: "corwin@bru.st" <corwin@bru.st>, "larsi@gnus.org" <larsi@gnus.org>,
> 	"55666@debbugs.gnu.org" <55666@debbugs.gnu.org>
> Date: Sat, 28 May 2022 19:17:49 +0000
> 
> But again, verifying the signature on windows doesn't seem to instill confidence at all
> Corvwin  doesnt have a certified key 
> I am not a certificate expert, so I dont know how all of this works 
> 
> So,  I still hope Corwin or the Windows Binaries volunteers will still be able to provide 
> SHA-256 hashes 

Hey, I just answered a question you asked, that's all.  I assumed that
if you are asking it, it is important for you to know the answer.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28 19:27               ` Eli Zaretskii
@ 2022-05-28 20:31                 ` Ali Elshishini
  2022-05-28 22:09                   ` Corwin Brust
  0 siblings, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-28 20:31 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: larsi@gnus.org, corwin@bru.st, 55666@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 733 bytes --]

I apologize if it sounded like I am coming out too strong in any way
I really appreciate you taking the time to reply

And I completely understand that neither you or Corwin, have any obligation to fix this issue or enhance the situation

Thanks
Ali
________________________________
From: Eli Zaretskii <eliz@gnu.org>
Sent: May 28, 2022 3:27 PM
To: Ali Elshishini <shishini@outlook.com>
Cc: corwin@bru.st <corwin@bru.st>; larsi@gnus.org <larsi@gnus.org>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads



Hey, I just answered a question you asked, that's all.  I assumed that
if you are asking it, it is important for you to know the answer.

[-- Attachment #2: Type: text/html, Size: 1662 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-28 20:31                 ` Ali Elshishini
@ 2022-05-28 22:09                   ` Corwin Brust
  0 siblings, 0 replies; 16+ messages in thread
From: Corwin Brust @ 2022-05-28 22:09 UTC (permalink / raw)
  To: Ali Elshishini; +Cc: Eli Zaretskii, 55666, Lars Ingebrigtsen

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]

Hastily top posting to say ACK and that I'll reply in again when I am at my
computer and will share sha1 sums from my local copies then.

On Sat, May 28, 2022, 15:31 Ali Elshishini <shishini@outlook.com> wrote:

> I apologize if it sounded like I am coming out too strong in any way
> I really appreciate you taking the time to reply
>
> And I completely understand that neither you or Corwin, have any
> obligation to fix this issue or enhance the situation
>
> Thanks
> Ali
> ------------------------------
> *From:* Eli Zaretskii <eliz@gnu.org>
> *Sent:* May 28, 2022 3:27 PM
> *To:* Ali Elshishini <shishini@outlook.com>
> *Cc:* corwin@bru.st <corwin@bru.st>; larsi@gnus.org <larsi@gnus.org>;
> 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
> *Subject:* Re: bug#55666: enhancement request - SHA-256 for emacs
> downloads
>
>
>
> Hey, I just answered a question you asked, that's all.  I assumed that
> if you are asking it, it is important for you to know the answer.
>

[-- Attachment #2: Type: text/html, Size: 2391 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-27 11:46   ` Ali Elshishini
@ 2022-05-29  7:42     ` Corwin Brust
  2022-05-29 17:08       ` Ali Elshishini
  0 siblings, 1 reply; 16+ messages in thread
From: Corwin Brust @ 2022-05-29  7:42 UTC (permalink / raw)
  To: Ali Elshishini; +Cc: Lars Ingebrigtsen, 55666@debbugs.gnu.org

On Fri, May 27, 2022 at 6:46 AM Ali Elshishini <shishini@outlook.com> wrote:
>
> A checksum file (a file containing all checksums) can be included in the ftp folders
> (each folder can have one checksums file for the files it contains)

I think this is a great idea.  If nobody objects, I'll start including
something along these lines with my next upload of Windows binaries
(or maybe sooner, backfilling something for 28.1).

For the moment, you can get SHA1 sums for all (or at least, nearly
all) the binaries I've created from here:

https://corwin.bru.st/emacs-28/README

(The parent folder --which has indexing enabled-- is where I've been
staging my files before uploading to the GNU FTP servers and often
includes other builds that I don't plan to upload.)

If these don't work LMK and I'll regenerate the README file.  I do
have a script for that but it will take a little fooling around to
make it worthly of including on the GNU FTP site (presuming others
agree with me your idea of adding files with SHA1 information to the
FTP folders is a good one).

Thanks for the suggestion.

BTW, you can also get my public key from Savannah by clicking "Download GPG
Key" from my profile page, here:

  https://savannah.gnu.org/users/carlc





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-29  7:42     ` Corwin Brust
@ 2022-05-29 17:08       ` Ali Elshishini
  2022-05-29 18:53         ` Corwin Brust
  0 siblings, 1 reply; 16+ messages in thread
From: Ali Elshishini @ 2022-05-29 17:08 UTC (permalink / raw)
  To: Corwin Brust; +Cc: Lars Ingebrigtsen, 55666@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 2108 bytes --]

First sorry for top posting, I am using hotmail/outlook, and dont know how to setup bottom posting
Also honestly, I never really knew about this convention of bottom posting

Second, that a lot Corwin, adding the SHA hashes will be great

Finally, just my 2 cent, SHA1 is to my knowledge is considered obsolete and broken https://en.wikipedia.org/wiki/SHA-1
So I think SHA-256 should be enough, and if you want to can consider SHA-512

Most project I see use SHA-256, and only very few offer or use SHA-512

Thanks
Ali
________________________________
From: Corwin Brust <corwin@bru.st>
Sent: May 29, 2022 3:42 AM
To: Ali Elshishini <shishini@outlook.com>
Cc: Lars Ingebrigtsen <larsi@gnus.org>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

On Fri, May 27, 2022 at 6:46 AM Ali Elshishini <shishini@outlook.com> wrote:
>
> A checksum file (a file containing all checksums) can be included in the ftp folders
> (each folder can have one checksums file for the files it contains)

I think this is a great idea.  If nobody objects, I'll start including
something along these lines with my next upload of Windows binaries
(or maybe sooner, backfilling something for 28.1).

For the moment, you can get SHA1 sums for all (or at least, nearly
all) the binaries I've created from here:

https://corwin.bru.st/emacs-28/README

(The parent folder --which has indexing enabled-- is where I've been
staging my files before uploading to the GNU FTP servers and often
includes other builds that I don't plan to upload.)

If these don't work LMK and I'll regenerate the README file.  I do
have a script for that but it will take a little fooling around to
make it worthly of including on the GNU FTP site (presuming others
agree with me your idea of adding files with SHA1 information to the
FTP folders is a good one).

Thanks for the suggestion.

BTW, you can also get my public key from Savannah by clicking "Download GPG
Key" from my profile page, here:

  https://savannah.gnu.org/users/carlc

[-- Attachment #2: Type: text/html, Size: 4447 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-29 17:08       ` Ali Elshishini
@ 2022-05-29 18:53         ` Corwin Brust
  2022-05-29 19:46           ` Ali Elshishini
  0 siblings, 1 reply; 16+ messages in thread
From: Corwin Brust @ 2022-05-29 18:53 UTC (permalink / raw)
  To: Ali Elshishini; +Cc: Lars Ingebrigtsen, 55666@debbugs.gnu.org

On Sun, May 29, 2022 at 12:08 PM Ali Elshishini <shishini@outlook.com> wrote:
>
> First sorry for top posting, I am using hotmail/outlook, and dont know how to setup bottom posting
> Also honestly, I never really knew about this convention of bottom posting

It's not a problem for me; more of a "netiquette" WRT to mailing
lists, in general.

> Second, that a lot Corwin, adding the SHA hashes will be great

Let see if others voice opinions; if not I'm happy to start doing that.

> Finally, just my 2 cent, SHA1 is to my knowledge is considered obsolete and broken https://en.wikipedia.org/wiki/SHA-1
> So I think SHA-256 should be enough, and if you want to can consider SHA-512

I'm not convinced of any practical benefit to SHA256 (or 512) WRT
verification of data integrity (although I do understand SHA1 isn't
recommended for encryption/cryptographic use-cases.

That said, here are SHA256 sums for the present binaries for Emacs 28.1:

c31fc9e1b48eeb3a50dcc161e4749b304d25e23bf33c287b50bfe9e3f4742577
*emacs-28.1-installer.exe
da25ef9e067d630995c43faf460f991c4d5b2020a0fc02c7a7955069bf977508
*emacs-28.1-no-deps.zip
9006f875255056af0bb318298537f66353806b64eee0c3a593c5862328e685fc *emacs-28.1.zip
9c8c6066a4a1a4f68b44a0158af255ebe8671a5bcd6fb5e9db7fea26b6a3d4eb
*emacs-28.1-DEBUG-installer.exe
659b8281c301ea1c2e03b6bf935f1e488ed4f4d787cb4e7c23fce494193b6525
*emacs-28.1-DEBUG-no-deps.zip
3962e056ef58b32ad9b175a7e2ea3ed6e18c397f4825bb9756bef6e5606b930e
*emacs-28.1-DEBUG.zip
8f963ced4d88c4ed802676f59f2417b660cf8c494bd9bf9fe19bb4ca1be2a940
*emacs-28-deps-mingw-w64-src.zip
ba7e56f76a1d550add33dc4d28bb8e1dcd6d5882cb2be03b30441491873c01d5
*emacs-28-deps.zip

Please do let me know if signatures appear to be a mismatch with what
you have downloaded.





^ permalink raw reply	[flat|nested] 16+ messages in thread

* bug#55666: enhancement request - SHA-256 for emacs downloads
  2022-05-29 18:53         ` Corwin Brust
@ 2022-05-29 19:46           ` Ali Elshishini
  0 siblings, 0 replies; 16+ messages in thread
From: Ali Elshishini @ 2022-05-29 19:46 UTC (permalink / raw)
  To: Corwin Brust; +Cc: Lars Ingebrigtsen, 55666@debbugs.gnu.org

[-- Attachment #1: Type: text/plain, Size: 2512 bytes --]

the hash dont match

PS C:\downloads> Get-FileHash -Algorithm SHA256 .\emacs-28.1.zip | select -ExpandProperty hash | % tolower
0ef568df955fec4721634336585968fe593f3b008fce936a464fb524e5a3f009

Your hash is
9006f875255056af0bb318298537f66353806b64eee0c3a593c5862328e685fc *emacs-28.1.zip

I redownloaded the file from https://ftp.gnu.org/gnu/emacs/windows/emacs-28/
just to be sure

Thanks
Ali

________________________________
From: Corwin Brust <corwin@bru.st>
Sent: May 29, 2022 2:53 PM
To: Ali Elshishini <shishini@outlook.com>
Cc: Lars Ingebrigtsen <larsi@gnus.org>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

On Sun, May 29, 2022 at 12:08 PM Ali Elshishini <shishini@outlook.com> wrote:
>
> First sorry for top posting, I am using hotmail/outlook, and dont know how to setup bottom posting
> Also honestly, I never really knew about this convention of bottom posting

It's not a problem for me; more of a "netiquette" WRT to mailing
lists, in general.

> Second, that a lot Corwin, adding the SHA hashes will be great

Let see if others voice opinions; if not I'm happy to start doing that.

> Finally, just my 2 cent, SHA1 is to my knowledge is considered obsolete and broken https://en.wikipedia.org/wiki/SHA-1
> So I think SHA-256 should be enough, and if you want to can consider SHA-512

I'm not convinced of any practical benefit to SHA256 (or 512) WRT
verification of data integrity (although I do understand SHA1 isn't
recommended for encryption/cryptographic use-cases.

That said, here are SHA256 sums for the present binaries for Emacs 28.1:

c31fc9e1b48eeb3a50dcc161e4749b304d25e23bf33c287b50bfe9e3f4742577
*emacs-28.1-installer.exe
da25ef9e067d630995c43faf460f991c4d5b2020a0fc02c7a7955069bf977508
*emacs-28.1-no-deps.zip
9006f875255056af0bb318298537f66353806b64eee0c3a593c5862328e685fc *emacs-28.1.zip
9c8c6066a4a1a4f68b44a0158af255ebe8671a5bcd6fb5e9db7fea26b6a3d4eb
*emacs-28.1-DEBUG-installer.exe
659b8281c301ea1c2e03b6bf935f1e488ed4f4d787cb4e7c23fce494193b6525
*emacs-28.1-DEBUG-no-deps.zip
3962e056ef58b32ad9b175a7e2ea3ed6e18c397f4825bb9756bef6e5606b930e
*emacs-28.1-DEBUG.zip
8f963ced4d88c4ed802676f59f2417b660cf8c494bd9bf9fe19bb4ca1be2a940
*emacs-28-deps-mingw-w64-src.zip
ba7e56f76a1d550add33dc4d28bb8e1dcd6d5882cb2be03b30441491873c01d5
*emacs-28-deps.zip

Please do let me know if signatures appear to be a mismatch with what
you have downloaded.

[-- Attachment #2: Type: text/html, Size: 4756 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2022-05-29 19:46 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-26 17:47 bug#55666: enhancement request - SHA-256 for emacs downloads Ali Elshishini
2022-05-27 10:59 ` Lars Ingebrigtsen
2022-05-27 11:46   ` Ali Elshishini
2022-05-29  7:42     ` Corwin Brust
2022-05-29 17:08       ` Ali Elshishini
2022-05-29 18:53         ` Corwin Brust
2022-05-29 19:46           ` Ali Elshishini
2022-05-27 12:28   ` Eli Zaretskii
2022-05-28  0:43     ` Ali Elshishini
2022-05-28  6:15       ` Eli Zaretskii
2022-05-28 17:14         ` Ali Elshishini
2022-05-28 19:06           ` Eli Zaretskii
2022-05-28 19:17             ` Ali Elshishini
2022-05-28 19:27               ` Eli Zaretskii
2022-05-28 20:31                 ` Ali Elshishini
2022-05-28 22:09                   ` Corwin Brust

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).