You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by bb...@apache.org on 2018/03/12 09:42:53 UTC
[3/3] mesos git commit: Used SHA512 for release file checksums.
Used SHA512 for release file checksums.
Apache now requires SHA checksum files instead of the previously
required MD5, see the [signing recommendations](1). This patch updates
the Mesos vote and release tooling to accommodate that change in
policy. We use SHA512 as recommended in the [Apache SHA checksum
FAQ](2).
We also fix the format of the produced digest file to be compatible
with `sha512sum` to ease automatic release verification.
[1]: http://www.apache.org/dev/release-distribution#sigs-and-sums
[2]: http://www.apache.org/dev/release-signing#sha-checksum
Review: https://reviews.apache.org/r/65905/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/5e8572e4
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/5e8572e4
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/5e8572e4
Branch: refs/heads/1.3.x
Commit: 5e8572e4b9e585a96f566368342775b53e6deecf
Parents: 487c41f
Author: Benjamin Bannier <be...@mesosphere.io>
Authored: Mon Mar 12 09:55:05 2018 +0100
Committer: Benjamin Bannier <bb...@apache.org>
Committed: Mon Mar 12 10:41:32 2018 +0100
----------------------------------------------------------------------
support/release.sh | 2 +-
support/vote.sh | 19 ++++++++++++-------
2 files changed, 13 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/5e8572e4/support/release.sh
----------------------------------------------------------------------
diff --git a/support/release.sh b/support/release.sh
index 725bee6..df62432 100755
--- a/support/release.sh
+++ b/support/release.sh
@@ -43,7 +43,7 @@ echo "${GREEN}Checking out svn release repo ...${NORMAL}"
svn co --depth=empty ${SVN_RELEASE_REPO} ${SVN_RELEASE_LOCAL}
echo "${GREEN}Uploading the artifacts (the distribution," \
- "signature, and MD5) to the release repo ${NORMAL}"
+ "signature, and checksum) to the release repo ${NORMAL}"
mv ${TAG} ${SVN_RELEASE_LOCAL}/${VERSION}
http://git-wip-us.apache.org/repos/asf/mesos/blob/5e8572e4/support/vote.sh
----------------------------------------------------------------------
diff --git a/support/vote.sh b/support/vote.sh
index 98643a1..eed4b37 100755
--- a/support/vote.sh
+++ b/support/vote.sh
@@ -19,6 +19,11 @@ VERSION=${1}
CANDIDATE=${2}
TAG="${VERSION}-rc${CANDIDATE}"
+# Releases are signed with `sha512sum` which is installed as
+# `gsha512sum` from Homebrew's `coreutils` package.
+echo "Checking for sha512sum or gsha512sum"
+SHA512SUM=$(command -v sha512sum || command -v gsha512sum)
+
echo "${GREEN}Voting for mesos-${VERSION} candidate ${CANDIDATE}${NORMAL}"
read -p "Hit enter to continue ... "
@@ -75,10 +80,10 @@ echo "${GREEN}Signing the distribution ...${NORMAL}"
# Sign the tarball.
gpg --armor --output ${TARBALL}.asc --detach-sig ${TARBALL}
-echo "${GREEN}Creating a MD5 checksum...${NORMAL}"
+echo "${GREEN}Creating a SHA512 checksum ...${NORMAL}"
-# Create MD5 checksum.
-gpg --print-md MD5 ${TARBALL} > ${TARBALL}.md5
+# Create SHA512 checksum.
+"${SHA512SUM}" ${TARBALL} > ${TARBALL}.sha512
SVN_DEV_REPO="https://dist.apache.org/repos/dist/dev/mesos"
SVN_DEV_LOCAL="${WORK_DIR}/dev"
@@ -90,11 +95,11 @@ echo "${GREEN}Checking out svn dev repo ...${NORMAL}"
svn co --depth=empty ${SVN_DEV_REPO} ${SVN_DEV_LOCAL}
echo "${GREEN}Uploading the artifacts (the distribution," \
- "signature, and MD5) ...${NORMAL}"
+ "signature, and checksum) ...${NORMAL}"
RELEASE_DIRECTORY="${SVN_DEV_LOCAL}/${TAG}"
mkdir ${RELEASE_DIRECTORY}
-mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.md5 ${RELEASE_DIRECTORY}
+mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.sha512 ${RELEASE_DIRECTORY}
popd # build
popd # mesos
@@ -135,8 +140,8 @@ ${SVN_DEV_REPO}/${TAG}/${TARBALL}
The tag to be voted on is ${TAG}:
https://git-wip-us.apache.org/repos/asf?p=mesos.git;a=commit;h=${TAG}
-The MD5 checksum of the tarball can be found at:
-${SVN_DEV_REPO}/${TAG}/${TARBALL}.md5
+The SHA512 checksum of the tarball can be found at:
+${SVN_DEV_REPO}/${TAG}/${TARBALL}.sha512
The signature of the tarball can be found at:
${SVN_DEV_REPO}/${TAG}/${TARBALL}.asc