You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Maxim Solodovnik <so...@gmail.com> on 2015/10/20 06:38:55 UTC
MD5 SHA1 signatures testing
Hello,
could you please tell me how are you checking md5, sha1 sums cause I'm
getting:
sha1sum -c apache-wicket-7.1.0.tar.gz
sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1 checksum
lines found*
md5sum -c apache-wicket-7.1.0.tar.gz
md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5 checksum
lines found*
Additionally the "VOTE" email states: "Distributions, changelog, keys and
signatures can be found at:", but actually *keys* are not there :(
Thanks in advance
--
WBR
Maxim aka solomax
Re: MD5 SHA1 signatures testing
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks Martin!
It will help to automate the test
and I'll update the build for our project to reflect this :)
On Tue, Oct 20, 2015 at 1:33 PM, Martin Grigorov <mg...@apache.org>
wrote:
> Hi,
>
> I think the problem comes from:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
>
> It would be better to use "sha256sum
> target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha" instead (for 7.2.0)
> This way it would be SHA2.
> And also I think there is no need of MD5. md5sum's man page says that it is
> deprecated and SHA2 should be preferred:
>
> BUGS
> The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
>
>
> * These commands are on my Ubuntu but looking in the web it seems they are
> available also on MacOS.
>
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Tue, Oct 20, 2015 at 8:26 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
> > OK
> > Thanks!
> >
> > On Tue, Oct 20, 2015 at 12:24 PM, Martijn Dashorst <
> > martijn.dashorst@gmail.com> wrote:
> >
> > > Just craft a md5 sum and sha1 and compare the outcome with the .md5
> > > and .sha files.
> > >
> > > Unfortunately there are different ways to create those and one is not
> > > compatible with the other for an automated check.
> > >
> > > Martijn
> > >
> > > On Tue, Oct 20, 2015 at 8:19 AM, Maxim Solodovnik <
> solomax666@gmail.com>
> > > wrote:
> > > > Thanks, I was able to find keys using google :)
> > > > Why I wrote about this: maybe vote text might be corrected :))
> > > >
> > > > How are you testing md5 and sha1 sums?
> > > >
> > > > On Tue, Oct 20, 2015 at 12:16 PM, Martijn Dashorst <
> > > > martijn.dashorst@gmail.com> wrote:
> > > >
> > > >> The keys can be found at http://archive.apache.org/dist/wicket/KEYS
> > > >>
> > > >> Martijn
> > > >>
> > > >> On Tue, Oct 20, 2015 at 6:38 AM, Maxim Solodovnik <
> > solomax666@gmail.com
> > > >
> > > >> wrote:
> > > >> > Hello,
> > > >> >
> > > >> > could you please tell me how are you checking md5, sha1 sums cause
> > I'm
> > > >> > getting:
> > > >> >
> > > >> > sha1sum -c apache-wicket-7.1.0.tar.gz
> > > >> > sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1
> > > checksum
> > > >> > lines found*
> > > >> >
> > > >> > md5sum -c apache-wicket-7.1.0.tar.gz
> > > >> > md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5
> > > checksum
> > > >> > lines found*
> > > >> >
> > > >> > Additionally the "VOTE" email states: "Distributions, changelog,
> > keys
> > > and
> > > >> > signatures can be found at:", but actually *keys* are not there :(
> > > >> >
> > > >> > Thanks in advance
> > > >> >
> > > >> >
> > > >> > --
> > > >> > WBR
> > > >> > Maxim aka solomax
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Become a Wicket expert, learn from the best:
> > http://wicketinaction.com
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > WBR
> > > > Maxim aka solomax
> > >
> > >
> > >
> > > --
> > > Become a Wicket expert, learn from the best: http://wicketinaction.com
> > >
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
>
--
WBR
Maxim aka solomax
Re: MD5 SHA1 signatures testing
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
I think the problem comes from:
gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
target/dist/apache-wicket-$version.tar.gz.sha
It would be better to use "sha256sum
target/dist/apache-wicket-$version.tar.gz >
target/dist/apache-wicket-$version.tar.gz.sha" instead (for 7.2.0)
This way it would be SHA2.
And also I think there is no need of MD5. md5sum's man page says that it is
deprecated and SHA2 should be preferred:
BUGS
The MD5 algorithm should not be used any more for security related
purposes. Instead, better use an SHA-2 algorithm, implemented in the
programs sha224sum(1), sha256sum(1), sha384sum(1),
sha512sum(1)
* These commands are on my Ubuntu but looking in the web it seems they are
available also on MacOS.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Tue, Oct 20, 2015 at 8:26 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> OK
> Thanks!
>
> On Tue, Oct 20, 2015 at 12:24 PM, Martijn Dashorst <
> martijn.dashorst@gmail.com> wrote:
>
> > Just craft a md5 sum and sha1 and compare the outcome with the .md5
> > and .sha files.
> >
> > Unfortunately there are different ways to create those and one is not
> > compatible with the other for an automated check.
> >
> > Martijn
> >
> > On Tue, Oct 20, 2015 at 8:19 AM, Maxim Solodovnik <so...@gmail.com>
> > wrote:
> > > Thanks, I was able to find keys using google :)
> > > Why I wrote about this: maybe vote text might be corrected :))
> > >
> > > How are you testing md5 and sha1 sums?
> > >
> > > On Tue, Oct 20, 2015 at 12:16 PM, Martijn Dashorst <
> > > martijn.dashorst@gmail.com> wrote:
> > >
> > >> The keys can be found at http://archive.apache.org/dist/wicket/KEYS
> > >>
> > >> Martijn
> > >>
> > >> On Tue, Oct 20, 2015 at 6:38 AM, Maxim Solodovnik <
> solomax666@gmail.com
> > >
> > >> wrote:
> > >> > Hello,
> > >> >
> > >> > could you please tell me how are you checking md5, sha1 sums cause
> I'm
> > >> > getting:
> > >> >
> > >> > sha1sum -c apache-wicket-7.1.0.tar.gz
> > >> > sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1
> > checksum
> > >> > lines found*
> > >> >
> > >> > md5sum -c apache-wicket-7.1.0.tar.gz
> > >> > md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5
> > checksum
> > >> > lines found*
> > >> >
> > >> > Additionally the "VOTE" email states: "Distributions, changelog,
> keys
> > and
> > >> > signatures can be found at:", but actually *keys* are not there :(
> > >> >
> > >> > Thanks in advance
> > >> >
> > >> >
> > >> > --
> > >> > WBR
> > >> > Maxim aka solomax
> > >>
> > >>
> > >>
> > >> --
> > >> Become a Wicket expert, learn from the best:
> http://wicketinaction.com
> > >>
> > >
> > >
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
> >
> >
> >
> > --
> > Become a Wicket expert, learn from the best: http://wicketinaction.com
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
Re: MD5 SHA1 signatures testing
Posted by Maxim Solodovnik <so...@gmail.com>.
OK
Thanks!
On Tue, Oct 20, 2015 at 12:24 PM, Martijn Dashorst <
martijn.dashorst@gmail.com> wrote:
> Just craft a md5 sum and sha1 and compare the outcome with the .md5
> and .sha files.
>
> Unfortunately there are different ways to create those and one is not
> compatible with the other for an automated check.
>
> Martijn
>
> On Tue, Oct 20, 2015 at 8:19 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > Thanks, I was able to find keys using google :)
> > Why I wrote about this: maybe vote text might be corrected :))
> >
> > How are you testing md5 and sha1 sums?
> >
> > On Tue, Oct 20, 2015 at 12:16 PM, Martijn Dashorst <
> > martijn.dashorst@gmail.com> wrote:
> >
> >> The keys can be found at http://archive.apache.org/dist/wicket/KEYS
> >>
> >> Martijn
> >>
> >> On Tue, Oct 20, 2015 at 6:38 AM, Maxim Solodovnik <solomax666@gmail.com
> >
> >> wrote:
> >> > Hello,
> >> >
> >> > could you please tell me how are you checking md5, sha1 sums cause I'm
> >> > getting:
> >> >
> >> > sha1sum -c apache-wicket-7.1.0.tar.gz
> >> > sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1
> checksum
> >> > lines found*
> >> >
> >> > md5sum -c apache-wicket-7.1.0.tar.gz
> >> > md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5
> checksum
> >> > lines found*
> >> >
> >> > Additionally the "VOTE" email states: "Distributions, changelog, keys
> and
> >> > signatures can be found at:", but actually *keys* are not there :(
> >> >
> >> > Thanks in advance
> >> >
> >> >
> >> > --
> >> > WBR
> >> > Maxim aka solomax
> >>
> >>
> >>
> >> --
> >> Become a Wicket expert, learn from the best: http://wicketinaction.com
> >>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> Become a Wicket expert, learn from the best: http://wicketinaction.com
>
--
WBR
Maxim aka solomax
Re: MD5 SHA1 signatures testing
Posted by Martijn Dashorst <ma...@gmail.com>.
Just craft a md5 sum and sha1 and compare the outcome with the .md5
and .sha files.
Unfortunately there are different ways to create those and one is not
compatible with the other for an automated check.
Martijn
On Tue, Oct 20, 2015 at 8:19 AM, Maxim Solodovnik <so...@gmail.com> wrote:
> Thanks, I was able to find keys using google :)
> Why I wrote about this: maybe vote text might be corrected :))
>
> How are you testing md5 and sha1 sums?
>
> On Tue, Oct 20, 2015 at 12:16 PM, Martijn Dashorst <
> martijn.dashorst@gmail.com> wrote:
>
>> The keys can be found at http://archive.apache.org/dist/wicket/KEYS
>>
>> Martijn
>>
>> On Tue, Oct 20, 2015 at 6:38 AM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>> > Hello,
>> >
>> > could you please tell me how are you checking md5, sha1 sums cause I'm
>> > getting:
>> >
>> > sha1sum -c apache-wicket-7.1.0.tar.gz
>> > sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1 checksum
>> > lines found*
>> >
>> > md5sum -c apache-wicket-7.1.0.tar.gz
>> > md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5 checksum
>> > lines found*
>> >
>> > Additionally the "VOTE" email states: "Distributions, changelog, keys and
>> > signatures can be found at:", but actually *keys* are not there :(
>> >
>> > Thanks in advance
>> >
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>>
>>
>>
>> --
>> Become a Wicket expert, learn from the best: http://wicketinaction.com
>>
>
>
>
> --
> WBR
> Maxim aka solomax
--
Become a Wicket expert, learn from the best: http://wicketinaction.com
Re: MD5 SHA1 signatures testing
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks, I was able to find keys using google :)
Why I wrote about this: maybe vote text might be corrected :))
How are you testing md5 and sha1 sums?
On Tue, Oct 20, 2015 at 12:16 PM, Martijn Dashorst <
martijn.dashorst@gmail.com> wrote:
> The keys can be found at http://archive.apache.org/dist/wicket/KEYS
>
> Martijn
>
> On Tue, Oct 20, 2015 at 6:38 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > Hello,
> >
> > could you please tell me how are you checking md5, sha1 sums cause I'm
> > getting:
> >
> > sha1sum -c apache-wicket-7.1.0.tar.gz
> > sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1 checksum
> > lines found*
> >
> > md5sum -c apache-wicket-7.1.0.tar.gz
> > md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5 checksum
> > lines found*
> >
> > Additionally the "VOTE" email states: "Distributions, changelog, keys and
> > signatures can be found at:", but actually *keys* are not there :(
> >
> > Thanks in advance
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> Become a Wicket expert, learn from the best: http://wicketinaction.com
>
--
WBR
Maxim aka solomax
Re: MD5 SHA1 signatures testing
Posted by Martijn Dashorst <ma...@gmail.com>.
The keys can be found at http://archive.apache.org/dist/wicket/KEYS
Martijn
On Tue, Oct 20, 2015 at 6:38 AM, Maxim Solodovnik <so...@gmail.com> wrote:
> Hello,
>
> could you please tell me how are you checking md5, sha1 sums cause I'm
> getting:
>
> sha1sum -c apache-wicket-7.1.0.tar.gz
> sha1sum: apache-wicket-7.1.0.tar.gz: *no properly formatted SHA1 checksum
> lines found*
>
> md5sum -c apache-wicket-7.1.0.tar.gz
> md5sum: apache-wicket-7.1.0.tar.gz: *no properly formatted MD5 checksum
> lines found*
>
> Additionally the "VOTE" email states: "Distributions, changelog, keys and
> signatures can be found at:", but actually *keys* are not there :(
>
> Thanks in advance
>
>
> --
> WBR
> Maxim aka solomax
--
Become a Wicket expert, learn from the best: http://wicketinaction.com