[2/3] mesos git commit: Used SHA512 for release file checksums.

[bb...@apache.org]

Used SHA512 for release file checksums.

Apache now requires SHA checksum files instead of the previously
required MD5, see the [signing recommendations](1). This patch updates
the Mesos vote and release tooling to accommodate that change in
policy. We use SHA512 as recommended in the [Apache SHA checksum
FAQ](2).

We also fix the format of the produced digest file to be compatible
with `sha512sum` to ease automatic release verification.

[1]: http://www.apache.org/dev/release-distribution#sigs-and-sums
[2]: http://www.apache.org/dev/release-signing#sha-checksum

Review: https://reviews.apache.org/r/65905/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dcd98531
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dcd98531
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dcd98531

Branch: refs/heads/1.4.x
Commit: dcd98531dd4185833e9be9245d9261fad098ee64
Parents: 84c9700
Author: Benjamin Bannier <be...@mesosphere.io>
Authored: Mon Mar 12 09:55:05 2018 +0100
Committer: Benjamin Bannier <bb...@apache.org>
Committed: Mon Mar 12 10:40:19 2018 +0100

----------------------------------------------------------------------
 support/release.sh |  2 +-
 support/vote.sh    | 19 ++++++++++++-------
 2 files changed, 13 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/dcd98531/support/release.sh
----------------------------------------------------------------------
diff --git a/support/release.sh b/support/release.sh
index 725bee6..df62432 100755
--- a/support/release.sh
+++ b/support/release.sh
@@ -43,7 +43,7 @@ echo "${GREEN}Checking out svn release repo ...${NORMAL}"
 svn co --depth=empty ${SVN_RELEASE_REPO} ${SVN_RELEASE_LOCAL}
 
 echo "${GREEN}Uploading the artifacts (the distribution," \
-  "signature, and MD5) to the release repo ${NORMAL}"
+  "signature, and checksum) to the release repo ${NORMAL}"
 
 mv ${TAG} ${SVN_RELEASE_LOCAL}/${VERSION}
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/dcd98531/support/vote.sh
----------------------------------------------------------------------
diff --git a/support/vote.sh b/support/vote.sh
index 98643a1..eed4b37 100755
--- a/support/vote.sh
+++ b/support/vote.sh
@@ -19,6 +19,11 @@ VERSION=${1}
 CANDIDATE=${2}
 TAG="${VERSION}-rc${CANDIDATE}"
 
+# Releases are signed with `sha512sum` which is installed as
+# `gsha512sum` from Homebrew's `coreutils` package.
+echo "Checking for sha512sum or gsha512sum"
+SHA512SUM=$(command -v sha512sum || command -v gsha512sum)
+
 echo "${GREEN}Voting for mesos-${VERSION} candidate ${CANDIDATE}${NORMAL}"
 
 read -p "Hit enter to continue ... "
@@ -75,10 +80,10 @@ echo "${GREEN}Signing the distribution ...${NORMAL}"
 # Sign the tarball.
 gpg --armor --output ${TARBALL}.asc --detach-sig ${TARBALL}
 
-echo "${GREEN}Creating a MD5 checksum...${NORMAL}"
+echo "${GREEN}Creating a SHA512 checksum ...${NORMAL}"
 
-# Create MD5 checksum.
-gpg --print-md MD5 ${TARBALL} > ${TARBALL}.md5
+# Create SHA512 checksum.
+"${SHA512SUM}" ${TARBALL} > ${TARBALL}.sha512
 
 SVN_DEV_REPO="https://dist.apache.org/repos/dist/dev/mesos"
 SVN_DEV_LOCAL="${WORK_DIR}/dev"
@@ -90,11 +95,11 @@ echo "${GREEN}Checking out svn dev repo ...${NORMAL}"
 svn co --depth=empty ${SVN_DEV_REPO} ${SVN_DEV_LOCAL}
 
 echo "${GREEN}Uploading the artifacts (the distribution," \
-  "signature, and MD5) ...${NORMAL}"
+  "signature, and checksum) ...${NORMAL}"
 
 RELEASE_DIRECTORY="${SVN_DEV_LOCAL}/${TAG}"
 mkdir ${RELEASE_DIRECTORY}
-mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.md5 ${RELEASE_DIRECTORY}
+mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.sha512 ${RELEASE_DIRECTORY}
 
 popd # build
 popd # mesos
@@ -135,8 +140,8 @@ ${SVN_DEV_REPO}/${TAG}/${TARBALL}
 The tag to be voted on is ${TAG}:
 https://git-wip-us.apache.org/repos/asf?p=mesos.git;a=commit;h=${TAG}
 
-The MD5 checksum of the tarball can be found at:
-${SVN_DEV_REPO}/${TAG}/${TARBALL}.md5
+The SHA512 checksum of the tarball can be found at:
+${SVN_DEV_REPO}/${TAG}/${TARBALL}.sha512
 
 The signature of the tarball can be found at:
 ${SVN_DEV_REPO}/${TAG}/${TARBALL}.asc