On Tue, Nov 20, 2012 at 12:22 PM, Roman Shaposhnik <[email protected]> wrote:
> Hi!
>
> while reviewing Celix RC I came across a peculiar format
> for the SHA/MD5 checksums which I've never seen before:
>
> https://dist.apache.org/repos/dist/dev/incubator/celix/celix-0.0.1-incubating/
>
> Turns out, this is the output of gpg and it seems that
> there's no way to ask gpg to verify it (unlike -c for md5sum lets
> say). Worse yet, because of the spaces it is not
> easy to reconcile the output with the more typical
> md5sum one.
>
> And yet we actually explicitly document gpg as one of the
> tools: http://www.apache.org/dev/release-signing#md5
>
> So here's the question: are we making it less likely
> for folks to actually verify MD5/SHA checksums if
> we don't have a consistent format for them?
FWIW, any platform with Perl on it can generate md5sum-compatible and
shasum-compatible checksums using incantations like these:
perl -MDigest -e '$d = Digest->new("MD5"); \
open $fh, "<apache-lucy-0.4.0.tar.gz" or die; \
$d->addfile($fh); print $d->hexdigest; print \
" apache-lucy-0.4.0.tar.gz\n"' > apache-lucy-0.4.0.tar.gz.md5
perl -MDigest -e '$d = Digest->new("SHA-512"); \
open $fh, "<apache-lucy-0.4.0.tar.gz" or die; \
$d->addfile($fh); print $d->hexdigest; print \
" apache-lucy-0.4.0.tar.gz\n"' > apache-lucy-0.4.0.tar.gz.sha
(Perl is more widespread than md5sum.)
Marvin Humphrey
