Re: cksum: add support for SHA-3

Wed, 03 Sep 2025 01:01:35 -0700 

Pádraig Brady <[email protected]> writes:

> Hi Collin, this is really good.
>
> As we discussed, selecting the size with --length is a nice cleanup,
> rather than listing out each SHA3-<DIGEST-SIZE> option.
>
> I would simplify the interface though, and not extend it
> to select arbitrary lengths on fixed size digests.
> If you were to do this the SHA3-<DIGEST-SIZE>/<TRUNCATED-SIZE>
> would be the most appropriate format, but it would introduce complication
> as you'd need to parse that also for --check.

Yep, that was something I forgot to mention. It would add extra
complexity to handling --check.

> Also truncation has limited use cases best contained in libs rather than 
> tools.

Or if someone really wants it using cksum they can pipe it into sed.

> So I would keep it simple so that:
>
> --length selects fixed sizes for sha3.
> I.e. it will reject anything other than {224,256,384,512}
>
> --length continues to select arbitrary sizes for blake2b
> (and possibly in future shake128 or shake256}
>
> --length is required with --algorithm=sha3
> so that there is no ambiguity in size chosen.
> I.e. there is no default for fixed size digests.
>
> Since there is no default, -<DIGEST-SIZE> should always output for SHA3
> (or any (future) fixed size digest)

These all sound good to me.

> p.s. I'm thinking cksum might deprecate the explicit -a sha{224,256,384,512},
> instead preferring -a sha2 -l {224,256,384,512}, which is more symmetrical 
> and neater.
> Though for interop compat we would not change the output tag, keeping 
> SHA{224,256,384,512}.

I agree with this in principle. However, it would cause some breakage.
Off the top my head some announcements on [email protected] would have
commands that no longer work:

    $ ./build-aux/announce-gen --release-type=alpha --package-name=coreutils \
    --previous-version=1 --current-version=9.7.265-e028c65 \
    --url-directory=nowhere --cksum-checksums \
    --gpg-key-id=8CE6491AE30D7D75
    [...]
    Here are the SHA1 and SHA256 checksums:
    
      de6ff43c89db596102a437e1e76175b3dec15570  coreutils-9.7.265-e028c65.tar.gz
      JVDvV5rSM+MFe2TxAIyaeW+1p7d/pA77seKJ6/xfk0I=  
coreutils-9.7.265-e028c65.tar.gz
      0cef5cc5a22d54a80ecc01976e48c68388757c6e  coreutils-9.7.265-e028c65.tar.xz
      6NOdMI+ZuhaWCt5LV6Pyv1GZBwJx6IK9B0famJzeF0M=  
coreutils-9.7.265-e028c65.tar.xz
    
    Verify the base64 SHA256 checksum with cksum -a sha256 --check
    from coreutils-9.2 or OpenBSD's cksum since 2007.

Collin

Reply via email to