* [PATCH] build: use sha256sum instead of sha1sum to sign releases
@ 2017-03-02 0:44 David Bremner
2017-03-02 15:10 ` Tomi Ollila
0 siblings, 1 reply; 3+ messages in thread
From: David Bremner @ 2017-03-02 0:44 UTC (permalink / raw)
To: notmuch
SHA1 is weak/broken.
---
Makefile.global | 4 ++--
Makefile.local | 9 ++++-----
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index d8f335af..7a78e9b5 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA1_FILE=$(TAR_FILE).sha1
-GPG_FILE=$(SHA1_FILE).asc
+SHA256_FILE=$(TAR_FILE).sha256
+GPG_FILE=$(SHA256_FILE).asc
PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 3548ed96..d2ef3e08 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -36,12 +36,11 @@ $(TAR_FILE):
gzip < $(TAR_FILE).tmp > $(TAR_FILE)
@echo "Source is ready for release in $(TAR_FILE)"
-$(SHA1_FILE): $(TAR_FILE)
- sha1sum $^ > $@
+$(SHA256_FILE): $(TAR_FILE)
+ sha256sum $^ > $@
-$(GPG_FILE): $(SHA1_FILE)
- @echo "Please enter your GPG password to sign the checksum."
- gpg --armor --sign $^
+$(GPG_FILE): $(SHA256_FILE)
+ gpg --armor --sign $^
.PHONY: dist
dist: $(TAR_FILE)
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] build: use sha256sum instead of sha1sum to sign releases
2017-03-02 0:44 [PATCH] build: use sha256sum instead of sha1sum to sign releases David Bremner
@ 2017-03-02 15:10 ` Tomi Ollila
2017-03-02 21:37 ` David Bremner
0 siblings, 1 reply; 3+ messages in thread
From: Tomi Ollila @ 2017-03-02 15:10 UTC (permalink / raw)
To: David Bremner, notmuch
On Thu, Mar 02 2017, David Bremner <david@tethera.net> wrote:
> SHA1 is weak/broken.
> ---
I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
as a commit message.
Anyway, LGTM.
Tomi
PS: this is sha-2 256 -- that makes me wonder what will be the file suffix
for sha-3 256 (or for any other bits...)
> Makefile.global | 4 ++--
> Makefile.local | 9 ++++-----
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/Makefile.global b/Makefile.global
> index d8f335af..7a78e9b5 100644
> --- a/Makefile.global
> +++ b/Makefile.global
> @@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
> TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
> ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
> DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
> -SHA1_FILE=$(TAR_FILE).sha1
> -GPG_FILE=$(SHA1_FILE).asc
> +SHA256_FILE=$(TAR_FILE).sha256
> +GPG_FILE=$(SHA256_FILE).asc
>
> PV_FILE=bindings/python/notmuch/version.py
>
> diff --git a/Makefile.local b/Makefile.local
> index 3548ed96..d2ef3e08 100644
> --- a/Makefile.local
> +++ b/Makefile.local
> @@ -36,12 +36,11 @@ $(TAR_FILE):
> gzip < $(TAR_FILE).tmp > $(TAR_FILE)
> @echo "Source is ready for release in $(TAR_FILE)"
>
> -$(SHA1_FILE): $(TAR_FILE)
> - sha1sum $^ > $@
> +$(SHA256_FILE): $(TAR_FILE)
> + sha256sum $^ > $@
>
> -$(GPG_FILE): $(SHA1_FILE)
> - @echo "Please enter your GPG password to sign the checksum."
> - gpg --armor --sign $^
> +$(GPG_FILE): $(SHA256_FILE)
> + gpg --armor --sign $^
>
> .PHONY: dist
> dist: $(TAR_FILE)
> --
> 2.11.0
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] build: use sha256sum instead of sha1sum to sign releases
2017-03-02 15:10 ` Tomi Ollila
@ 2017-03-02 21:37 ` David Bremner
0 siblings, 0 replies; 3+ messages in thread
From: David Bremner @ 2017-03-02 21:37 UTC (permalink / raw)
To: Tomi Ollila, notmuch
Tomi Ollila <tomi.ollila@iki.fi> writes:
> On Thu, Mar 02 2017, David Bremner <david@tethera.net> wrote:
>
>> SHA1 is weak/broken.
>> ---
>
> I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
> as a commit message.
>
Sure, I don't mind; the editorializing doesn't really add much.
pushed to master
d
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-02 21:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-02 0:44 [PATCH] build: use sha256sum instead of sha1sum to sign releases David Bremner
2017-03-02 15:10 ` Tomi Ollila
2017-03-02 21:37 ` David Bremner
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).