[PATCH] use SHA-2 hashes for releases

[Andreas Stieger]

Hello,

Found this laying around... maybe someone who previously made releases
could check it out.

Obviously we could just as well use SHA-256. What do you think?

[[[

Use SHA-2 hashes for releases

* tools/dist/checksums.py: also check SHA-512 digest
* tools/dist/dist.sh: also generate SHA-512 digest
* tools/dist/download-release.sh: remove unused script
* tools/dist/release.py: switch to announcing SHA-512 digest
* tools/dist/templates/download.ezt,
  tools/dist/templates/rc-release-ann.ezt,
  tools/dist/templates/stable-release-ann.ezt: reference SHA-512 digests
  and HTTPS urls.

]]]


Andreas

-- 
Andreas Stieger <astie...@suse.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)


Use SHA-2 hashes for releases

* tools/dist/checksums.py: also check SHA-512 digest
* tools/dist/dist.sh: also generate SHA-512 digest
* tools/dist/download-release.sh: remove unused script
* tools/dist/release.py: switch to announcing SHA-512 digest
* tools/dist/templates/download.ezt,
  tools/dist/templates/rc-release-ann.ezt,
  tools/dist/templates/stable-release-ann.ezt: reference SHA-512 digests
  and HTTPS urls.

Index: tools/dist/checksums.py
===================================================================
--- tools/dist/checksums.py	(revision 1798304)
+++ tools/dist/checksums.py	(working copy)
@@ -19,12 +19,14 @@
 # under the License.
 #
 #
-# Check MD5 and SHA1 signatures of files, using md5sums and/or
-# sha1sums as manifests.  Replaces the 'md5sum' and 'sha1sum' commands
+# Check MD5 and SHA-1 and SHA-2 signatures of files, using 
+# md5sums, sha1sums, and/or sha512sums as manifests
+# Replaces the 'md5sum', 'sha1sum', and 'sha512sums' commands
 # on systems that do not have them, such as Mac OS X or Windows.
 #
 # Usage: checksums.py [manifest]
-#   where "os.path.basename(manifest)" is either "md5sums" or "sha1sums"
+#   where "os.path.basename(manifest)" is either "md5sums", "sha1sums",
+#   "sha512sums"
 #
 # Tested with the following Python versions:
 #        2.4   2.5   2.6   2.7   3.2
@@ -37,6 +39,7 @@ import sys
 try:
     from hashlib import md5
     from hashlib import sha1
+    from hashlib import sha512
 except ImportError:
     from md5 import md5
     from sha import sha as sha1
@@ -67,9 +70,11 @@ def main(manipath):
         sink = Digester(md5)
     elif manifest == 'sha1sums':
         sink = Digester(sha1)
+    elif manifest == 'sha512sums':
+        sink = Digester(sha512)
     else:
         raise ValueError('The name of the digest manifest must be '
-                         "'md5sums' or 'sha1sums', not '%s'" % manifest)
+                         "'md5sums', 'sha1sums', or 'sha512sums', not '%s'" % manifest)
 
     # No 'with' statement in Python 2.4 ...
     stream = None
Index: tools/dist/dist.sh
===================================================================
--- tools/dist/dist.sh	(revision 1798304)
+++ tools/dist/dist.sh	(working copy)
@@ -369,9 +369,10 @@ sign_file()
   fi
 }
 
-# allow md5sum and sha1sum tool names to be overridden
+# allow md5sum,sha1sum, and sha512sum tool names to be overridden
 [ -n "$MD5SUM" ] || MD5SUM=md5sum
 [ -n "$SHA1SUM" ] || SHA1SUM=sha1sum
+[ -n "$SHA512SUM" ] || SHA512SUM=sha512sum
 
 echo ""
 echo "Done:"
@@ -387,6 +388,12 @@ if [ -z "$ZIP" ]; then
     echo "sha1sums:"
     $SHA1SUM "$DISTNAME.tar.bz2" "$DISTNAME.tar.gz"
   fi
+  type $SHA512SUM > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    echo ""
+    echo "sha512sums:"
+    $SHA512SUM "$DISTNAME.tar.bz2" "$DISTNAME.tar.gz"
+  fi
 else
   ls -l "$DISTNAME.zip"
   sign_file $DISTNAME.zip
@@ -399,4 +406,10 @@ else
     echo "sha1sum:"
     $SHA1SUM "$DISTNAME.zip"
   fi
+  type $SHA512SUM > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    echo ""
+    echo "sha512sum:"
+    $SHA512SUM "$DISTNAME.zip"
+  fi
 fi
Index: tools/dist/download-release.sh
===================================================================
--- tools/dist/download-release.sh	(revision 1798304)
+++ tools/dist/download-release.sh	(nonexistent)
@@ -1,28 +0,0 @@
-#!/bin/bash
-#
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
-BASEURL=$1
-VERSION=$2
-wget -nc $BASEURL/{{md5,sha1}sums,svn_version.h.dist,subversion{-deps,}-$VERSION.{{zip,tar.bz2}{.asc,},tar.gz.asc}}
-bzip2 -dk subversion{-deps,}-$VERSION.tar.bz2
-gzip -9n subversion{-deps,}-$VERSION.tar
-md5sum -c md5sums
-sha1sum -c sha1sums

Property changes on: tools/dist/download-release.sh
___________________________________________________________________
Deleted: svn:eol-style
## -1 +0,0 ##
-native
\ No newline at end of property
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: tools/dist/release.py
===================================================================
--- tools/dist/release.py	(revision 1798304)
+++ tools/dist/release.py	(working copy)
@@ -537,9 +537,9 @@ def roll_tarballs(args):
 
         shutil.move(filename, get_deploydir(args.base_dir))
         filename = os.path.join(get_deploydir(args.base_dir), filename)
-        m = hashlib.sha1()
+        m = hashlib.sha512()
         m.update(open(filename, 'r').read())
-        open(filename + '.sha1', 'w').write(m.hexdigest())
+        open(filename + '.sha512', 'w').write(m.hexdigest())
 
     shutil.move('svn_version.h.dist',
                 get_deploydir(args.base_dir) + '/' + 'svn_version.h.dist'
@@ -758,39 +758,39 @@ def write_news(args):
     template.generate(sys.stdout, data)
 
 
-def get_sha1info(args, replace=False):
-    'Return a list of sha1 info for the release'
+def get_sha512info(args, replace=False):
+    'Return a list of sha512 info for the release'
 
     target = get_target(args)
 
-    sha1s = glob.glob(os.path.join(target, 'subversion*-%s*.sha1' % args.version))
+    sha512s = glob.glob(os.path.join(target, 'subversion*-%s*.sha512' % args.version))
 
     class info(object):
         pass
 
-    sha1info = []
-    for s in sha1s:
+    sha512info = []
+    for s in sha512s:
         i = info()
-        # strip ".sha1"
-        fname = os.path.basename(s)[:-5]
+        # strip ".sha512"
+        fname = os.path.basename(s)[:-7]
         if replace:
             # replace the version number with the [version] reference
             i.filename = Version.regex.sub('[version]', fname)
         else:
             i.filename = fname
-        i.sha1 = open(s, 'r').read()
-        sha1info.append(i)
+        i.sha512 = open(s, 'r').read()
+        sha512info.append(i)
 
-    return sha1info
+    return sha512info
 
 
 def write_announcement(args):
     'Write the release announcement.'
-    sha1info = get_sha1info(args)
+    sha512info = get_sha512info(args)
     siginfo = "\n".join(get_siginfo(args, True)) + "\n"
 
     data = { 'version'              : str(args.version),
-             'sha1info'             : sha1info,
+             'sha512info'           : sha512info,
              'siginfo'              : siginfo,
              'major-minor'          : args.version.branch,
              'major-minor-patch'    : args.version.base,
@@ -809,10 +809,10 @@ def write_announcement(args):
 
 def write_downloads(args):
     'Output the download section of the website.'
-    sha1info = get_sha1info(args, replace=True)
+    sha512info = get_sha512info(args, replace=True)
 
     data = { 'version'              : str(args.version),
-             'fileinfo'             : sha1info,
+             'fileinfo'             : sha512info,
            }
 
     template = ezt.Template(compress_whitespace = False)
Index: tools/dist/templates/download.ezt
===================================================================
--- tools/dist/templates/download.ezt	(revision 1798304)
+++ tools/dist/templates/download.ezt	(working copy)
@@ -2,12 +2,12 @@
 <table class="centered">
 <tr>
   <th>File</th>
-  <th>Checksum (SHA1)</th>
+  <th>Checksum (SHA-512)</th>
   <th>Signatures</th>
 </tr>
 [for fileinfo]<tr>
   <td><a href="[[]preferred]subversion/[fileinfo.filename]">[fileinfo.filename]</a></td>
-  <td class="checksum">[fileinfo.sha1]</td>
-  <td>[<a href="http://www.apache.org/dist/subversion/[fileinfo.filename].asc";>PGP</a>]</td>
+  <td class="checksum">[fileinfo.sha512]</td>
+  <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc";>PGP</a>]</td>
 </tr>[end]
 </table>
Index: tools/dist/templates/rc-release-ann.ezt
===================================================================
--- tools/dist/templates/rc-release-ann.ezt	(revision 1798304)
+++ tools/dist/templates/rc-release-ann.ezt	(working copy)
@@ -1,17 +1,17 @@
 I'm happy to announce the release of Apache Subversion [version].
 Please choose the mirror closest to you by visiting:
 
-    http://subversion.apache.org/download.cgi#[anchor]
+    https://subversion.apache.org/download.cgi#[anchor]
 
-The SHA1 checksums are:
+The SHA-512 checksums are:
 
-[for sha1info]    [sha1info.sha1] [sha1info.filename]
+[for sha512info]    [sha512info.sha512] [sha512info.filename]
 [end]
 PGP Signatures are available at:
 
-    http://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
-    http://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
-    http://www.apache.org/dist/subversion/subversion-[version].zip.asc
+    https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
+    https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
+    https://www.apache.org/dist/subversion/subversion-[version].zip.asc
 
 For this release, the following people have provided PGP signatures:
 
@@ -20,7 +20,7 @@ This is a pre-release for what will eventually bec
 [major-minor-patch].  It may contain known issues, a complete list of
 [major-minor-patch]-blocking issues can be found here:
 
-    http://subversion.tigris.org/issues/buglist.cgi?component=subversion&issue_status=NEW&issue_status=STARTED&issue_status=REOPENED&target_milestone=[major-minor-patch]
+    https://subversion.tigris.org/issues/buglist.cgi?component=subversion&issue_status=NEW&issue_status=STARTED&issue_status=REOPENED&target_milestone=[major-minor-patch]
 
 A pre-release means the Subversion developers feel that this release
 is ready for widespread testing by the community.  There are known issues
@@ -46,11 +46,11 @@ end users please.
 
 Release notes for the [major-minor].x release series may be found at:
 
-    http://subversion.apache.org/docs/release-notes/[major-minor].html
+    https://subversion.apache.org/docs/release-notes/[major-minor].html
 
 You can find the list of changes between [version] and earlier versions at:
 
-    http://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
+    https://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
 
 Questions, comments, and bug reports to us...@subversion.apache.org.
 
Index: tools/dist/templates/stable-release-ann.ezt
===================================================================
--- tools/dist/templates/stable-release-ann.ezt	(revision 1798304)
+++ tools/dist/templates/stable-release-ann.ezt	(working copy)
@@ -1,17 +1,17 @@
 I'm happy to announce the release of Apache Subversion [version].
 Please choose the mirror closest to you by visiting:
 
-    http://subversion.apache.org/download.cgi#[anchor]
+    https://subversion.apache.org/download.cgi#[anchor]
 
-The SHA1 checksums are:
+The SHA-512 checksums are:
 
-[for sha1info]    [sha1info.sha1] [sha1info.filename]
+[for sha512info]    [sha512info.sha512] [sha512info.filename]
 [end]
 PGP Signatures are available at:
 
-    http://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
-    http://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
-    http://www.apache.org/dist/subversion/subversion-[version].zip.asc
+    https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
+    https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
+    https://www.apache.org/dist/subversion/subversion-[version].zip.asc
 
 For this release, the following people have provided PGP signatures:
 
@@ -18,11 +18,11 @@ For this release, the following people have provid
 [siginfo]
 Release notes for the [major-minor].x release series may be found at:
 
-    http://subversion.apache.org/docs/release-notes/[major-minor].html
+    https://subversion.apache.org/docs/release-notes/[major-minor].html
 
 You can find the list of changes between [version] and earlier versions at:
 
-    http://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
+    https://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
 
 Questions, comments, and bug reports to us...@subversion.apache.org.
 

signature.asc
Description: OpenPGP digital signature