From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bremner@tethera.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 1324C6DE1C78
 for <notmuch@notmuchmail.org>; Wed,  1 Mar 2017 16:45:41 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.005
X-Spam-Level: 
X-Spam-Status: No, score=-0.005 tagged_above=-999 required=5 tests=[AWL=0.006, 
 SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id xIhCxfdqcZdY for <notmuch@notmuchmail.org>;
 Wed,  1 Mar 2017 16:45:38 -0800 (PST)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
 by arlo.cworth.org (Postfix) with ESMTPS id B0DC06DE1C5C
 for <notmuch@notmuchmail.org>; Wed,  1 Mar 2017 16:45:38 -0800 (PST)
Received: from remotemail by fethera.tethera.net with local (Exim 4.84_2)
 (envelope-from <bremner@tethera.net>)
 id 1cjErb-0006U5-4o; Wed, 01 Mar 2017 19:44:59 -0500
Received: (nullmailer pid 26277 invoked by uid 1000);
 Thu, 02 Mar 2017 00:45:36 -0000
From: David Bremner <david@tethera.net>
To: notmuch@notmuchmail.org
Subject: [PATCH] build: use sha256sum instead of sha1sum to sign releases
Date: Wed,  1 Mar 2017 20:44:47 -0400
Message-Id: <20170302004447.26232-1-david@tethera.net>
X-Mailer: git-send-email 2.11.0
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 00:45:41 -0000

SHA1 is weak/broken.
---
 Makefile.global | 4 ++--
 Makefile.local  | 9 ++++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index d8f335af..7a78e9b5 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA1_FILE=$(TAR_FILE).sha1
-GPG_FILE=$(SHA1_FILE).asc
+SHA256_FILE=$(TAR_FILE).sha256
+GPG_FILE=$(SHA256_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
 
diff --git a/Makefile.local b/Makefile.local
index 3548ed96..d2ef3e08 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -36,12 +36,11 @@ $(TAR_FILE):
 	gzip < $(TAR_FILE).tmp > $(TAR_FILE)
 	@echo "Source is ready for release in $(TAR_FILE)"
 
-$(SHA1_FILE): $(TAR_FILE)
-	sha1sum $^ > $@
+$(SHA256_FILE): $(TAR_FILE)
+	sha256sum $^ > $@
 
-$(GPG_FILE): $(SHA1_FILE)
-	@echo "Please enter your GPG password to sign the checksum."
-	gpg --armor --sign $^ 
+$(GPG_FILE): $(SHA256_FILE)
+	gpg --armor --sign $^
 
 .PHONY: dist
 dist: $(TAR_FILE)
-- 
2.11.0