[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183903#comment-16183903 ]
Andrea Del Bene commented on WICKET-6074: ----------------------------------------- I'm going to add the sha-256 generation (' sha256sum $f > $f.sha256') to the currently available signatures. This should be ok, right? > Use SHA 256+ for signing the release artefacts > ---------------------------------------------- > > Key: WICKET-6074 > URL: https://issues.apache.org/jira/browse/WICKET-6074 > Project: Wicket > Issue Type: Task > Components: release > Affects Versions: 6.21.0, 7.2.0 > Reporter: Martin Grigorov > Assignee: Andrea Del Bene > > See the discussion at dev@ about checking the release: > http://markmail.org/message/yu2f64rndmncseyd > There are few issues: > 1) It seems sha1sum is used. It will be better to use SHA 256+ > from release.sh: > gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > > target/dist/apache-wicket-$version.tar.gz.sha > 2) Drop .md5 ?! > "man md5sum" says: > BUGS > The MD5 algorithm should not be used any more for security related > purposes. Instead, better use an SHA-2 algorithm, implemented in the > programs sha224sum(1), sha256sum(1), sha384sum(1), > sha512sum(1) > 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to > make it simpler for checking later with "sha256sum -c" -- This message was sent by Atlassian JIRA (v6.4.14#64029)