You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Darren Shepherd <da...@gmail.com> on 2013/10/18 04:56:59 UTC
how to use hashes on c.a.o?
The hashes that are on c.a.o for the releases have a format like
http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
684E0094 F1666F57 5D694916 CF74ED98
9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
EA82D42C 78880EDB 04F2532A 61376537
I've never seen this. Is this some hip new format I'm not aware of,
and I'm the uncool kid still using GNU coreutils?
Darren
Re: how to use hashes on c.a.o?
Posted by Chip Childers <ch...@gmail.com>.
Yeah, we can make this change IMO.
Darren, note that my sungard.com address no longer finds me. Please use my a.o or gmail.c address. ;)
> On Oct 24, 2013, at 5:43 PM, Darren Shepherd <da...@gmail.com> wrote:
>
> Chip,
>
> Do you care if we switch to GNU coreutils format for the hashes? The
> hash value is the same it will just be in the format like
>
> file.tbz2 *12b12341b1234b1234b1b2341b234b
>
> And then you just run "sha512sum -c <FILE>"
>
> Darren
>
>> On Thu, Oct 24, 2013 at 2:34 PM, John Kinsella <jl...@stratosec.co> wrote:
>> Instructions for testing the hash are in the release test page [1]. It is also documented in the install guide.
>>
>> It is the way it is I believe because Chip took the release build script from CouchDB, as mentioned in the release build page.
>>
>> 1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+procedure
>>
>> On Oct 24, 2013, at 12:53 AM, Darren Shepherd <da...@gmail.com>> wrote:
>>
>> But how does one validate it? I just wrote a dumb script to
>> concatenation, remove whitespace, lowercase and then pass to
>> "sha512sum -c." I've never seen anyone provide SHAs in that format.
>> I wouldn't expect many people to know how to use them. Why can't we
>> use the good old GNU coreutils style?
>>
>> Darren
>>
>> On Wed, Oct 23, 2013 at 7:14 PM, John Kinsella <jl...@stratosec.co>> wrote:
>> This is the output of gpg -v --print-md SHA512, generated as part of the release procedure [1] by tools/build/build_asf.sh
>>
>> 1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure
>>
>>
>> On Oct 17, 2013, at 7:56 PM, Darren Shepherd <da...@gmail.com>> wrote:
>>
>> The hashes that are on c.a.o for the releases have a format like
>>
>> http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
>>
>> apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
>> 684E0094 F1666F57 5D694916 CF74ED98
>> 9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
>> EA82D42C 78880EDB 04F2532A 61376537
>>
>> I've never seen this. Is this some hip new format I'm not aware of,
>> and I'm the uncool kid still using GNU coreutils?
>>
>> Darren
>>
>>
>>
>>
>> Stratosec<http://stratosec.co/> - Compliance as a Service
>> o: 415.315.9385
>> @johnlkinsella<http://twitter.com/johnlkinsella>
>>
Re: how to use hashes on c.a.o?
Posted by Darren Shepherd <da...@gmail.com>.
> Is there a reason not to verify authenticity and validity of the
> tarball with the gpg sig?
Nope, just laziness.
Darren
Re: how to use hashes on c.a.o?
Posted by David Nalley <da...@gnsa.us>.
On Thu, Oct 24, 2013 at 6:12 PM, Darren Shepherd
<da...@gmail.com> wrote:
> I ran into the issue while trying to write scripts to get CloudStack
> in docker. Here's my hack-tastic work around
>
> HASH=$(echo $(wget -O - -q
> http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
> |\
> cut -f2 -d: ) | sed 's/ //g' | tr '[:upper:]' '[:lower:]')
>
> Darren
>
Is there a reason not to verify authenticity and validity of the
tarball with the gpg sig?
gpg --import KEYS
gpg --verify acs.tar.bz2.asc
I think that's what I am currently defaulting to.
Re: how to use hashes on c.a.o?
Posted by Darren Shepherd <da...@gmail.com>.
I ran into the issue while trying to write scripts to get CloudStack
in docker. Here's my hack-tastic work around
HASH=$(echo $(wget -O - -q
http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
|\
cut -f2 -d: ) | sed 's/ //g' | tr '[:upper:]' '[:lower:]')
Darren
On Thu, Oct 24, 2013 at 3:05 PM, David Nalley <da...@gnsa.us> wrote:
> On Thu, Oct 24, 2013 at 5:43 PM, Darren Shepherd
> <da...@gmail.com> wrote:
>> Chip,
>>
>> Do you care if we switch to GNU coreutils format for the hashes? The
>> hash value is the same it will just be in the format like
>>
>> file.tbz2 *12b12341b1234b1234b1b2341b234b
>>
>> And then you just run "sha512sum -c <FILE>"
>>
>> Darren
>>
>
> I just ran into this problem writing an ansible playbook to build RPM
> packages. md5sum -c and sha256sum -c don't seem to work with the
> format that we provide which seems odd.
>
> Incidentally the download page no longer has the documentation for
> verifying hashes.
>
> --David
Re: how to use hashes on c.a.o?
Posted by David Nalley <da...@gnsa.us>.
On Thu, Oct 24, 2013 at 5:43 PM, Darren Shepherd
<da...@gmail.com> wrote:
> Chip,
>
> Do you care if we switch to GNU coreutils format for the hashes? The
> hash value is the same it will just be in the format like
>
> file.tbz2 *12b12341b1234b1234b1b2341b234b
>
> And then you just run "sha512sum -c <FILE>"
>
> Darren
>
I just ran into this problem writing an ansible playbook to build RPM
packages. md5sum -c and sha256sum -c don't seem to work with the
format that we provide which seems odd.
Incidentally the download page no longer has the documentation for
verifying hashes.
--David
Re: how to use hashes on c.a.o?
Posted by Darren Shepherd <da...@gmail.com>.
Chip,
Do you care if we switch to GNU coreutils format for the hashes? The
hash value is the same it will just be in the format like
file.tbz2 *12b12341b1234b1234b1b2341b234b
And then you just run "sha512sum -c <FILE>"
Darren
On Thu, Oct 24, 2013 at 2:34 PM, John Kinsella <jl...@stratosec.co> wrote:
> Instructions for testing the hash are in the release test page [1]. It is also documented in the install guide.
>
> It is the way it is I believe because Chip took the release build script from CouchDB, as mentioned in the release build page.
>
> 1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+procedure
>
> On Oct 24, 2013, at 12:53 AM, Darren Shepherd <da...@gmail.com>> wrote:
>
> But how does one validate it? I just wrote a dumb script to
> concatenation, remove whitespace, lowercase and then pass to
> "sha512sum -c." I've never seen anyone provide SHAs in that format.
> I wouldn't expect many people to know how to use them. Why can't we
> use the good old GNU coreutils style?
>
> Darren
>
> On Wed, Oct 23, 2013 at 7:14 PM, John Kinsella <jl...@stratosec.co>> wrote:
> This is the output of gpg -v --print-md SHA512, generated as part of the release procedure [1] by tools/build/build_asf.sh
>
> 1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure
>
>
> On Oct 17, 2013, at 7:56 PM, Darren Shepherd <da...@gmail.com>> wrote:
>
> The hashes that are on c.a.o for the releases have a format like
>
> http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
>
> apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
> 684E0094 F1666F57 5D694916 CF74ED98
> 9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
> EA82D42C 78880EDB 04F2532A 61376537
>
> I've never seen this. Is this some hip new format I'm not aware of,
> and I'm the uncool kid still using GNU coreutils?
>
> Darren
>
>
>
>
> Stratosec<http://stratosec.co/> - Compliance as a Service
> o: 415.315.9385
> @johnlkinsella<http://twitter.com/johnlkinsella>
>
Re: how to use hashes on c.a.o?
Posted by John Kinsella <jl...@stratosec.co>.
Instructions for testing the hash are in the release test page [1]. It is also documented in the install guide.
It is the way it is I believe because Chip took the release build script from CouchDB, as mentioned in the release build page.
1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+test+procedure
On Oct 24, 2013, at 12:53 AM, Darren Shepherd <da...@gmail.com>> wrote:
But how does one validate it? I just wrote a dumb script to
concatenation, remove whitespace, lowercase and then pass to
"sha512sum -c." I've never seen anyone provide SHAs in that format.
I wouldn't expect many people to know how to use them. Why can't we
use the good old GNU coreutils style?
Darren
On Wed, Oct 23, 2013 at 7:14 PM, John Kinsella <jl...@stratosec.co>> wrote:
This is the output of gpg -v --print-md SHA512, generated as part of the release procedure [1] by tools/build/build_asf.sh
1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure
On Oct 17, 2013, at 7:56 PM, Darren Shepherd <da...@gmail.com>> wrote:
The hashes that are on c.a.o for the releases have a format like
http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
684E0094 F1666F57 5D694916 CF74ED98
9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
EA82D42C 78880EDB 04F2532A 61376537
I've never seen this. Is this some hip new format I'm not aware of,
and I'm the uncool kid still using GNU coreutils?
Darren
Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>
Re: how to use hashes on c.a.o?
Posted by Darren Shepherd <da...@gmail.com>.
But how does one validate it? I just wrote a dumb script to
concatenation, remove whitespace, lowercase and then pass to
"sha512sum -c." I've never seen anyone provide SHAs in that format.
I wouldn't expect many people to know how to use them. Why can't we
use the good old GNU coreutils style?
Darren
On Wed, Oct 23, 2013 at 7:14 PM, John Kinsella <jl...@stratosec.co> wrote:
> This is the output of gpg -v --print-md SHA512, generated as part of the release procedure [1] by tools/build/build_asf.sh
>
> 1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure
>
>
> On Oct 17, 2013, at 7:56 PM, Darren Shepherd <da...@gmail.com> wrote:
>
>> The hashes that are on c.a.o for the releases have a format like
>>
>> http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
>>
>> apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
>> 684E0094 F1666F57 5D694916 CF74ED98
>> 9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
>> EA82D42C 78880EDB 04F2532A 61376537
>>
>> I've never seen this. Is this some hip new format I'm not aware of,
>> and I'm the uncool kid still using GNU coreutils?
>>
>> Darren
>
>
>
Re: how to use hashes on c.a.o?
Posted by John Kinsella <jl...@stratosec.co>.
This is the output of gpg -v --print-md SHA512, generated as part of the release procedure [1] by tools/build/build_asf.sh
1: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure
On Oct 17, 2013, at 7:56 PM, Darren Shepherd <da...@gmail.com> wrote:
> The hashes that are on c.a.o for the releases have a format like
>
> http://www.apache.org/dist/cloudstack/releases/4.2.0/apache-cloudstack-4.2.0-src.tar.bz2.sha
>
> apache-cloudstack-4.2.0-src.tar.bz2: CC487DF3 7E7B6800 F9DC05A3 5B72DEFD
> 684E0094 F1666F57 5D694916 CF74ED98
> 9D7CDF35 4021D3C5 8BFD4BB9 39AB02CD
> EA82D42C 78880EDB 04F2532A 61376537
>
> I've never seen this. Is this some hip new format I'm not aware of,
> and I'm the uncool kid still using GNU coreutils?
>
> Darren