[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads

Thu, 11 Dec 2014 20:04:23 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=57344

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Konstantin Kolinko from comment #0)
> 3) I do not have a command-line tool to automatically verify sha-512.
> 
> There exist sha512sum from GNU,
> http://www.gnu.org/software/coreutils/manual/coreutils.html#sha2-utilities
> 
> but GnuWin32 CoreUtils do not have this tool.

The 'sha512sum' command exists on both Debian and Amazon Linux (CentOS/RHEL
compatible), and so I would imagine it's available on most Linux distributions.
Mac OS X has 'shasum -a 512' which "mimics the behavior of GNU shaXsum"
(according to the man page).

As we use Apache Ant for building, why not just use <checksum>?
https://ant.apache.org/manual/Tasks/checksum.html

It can be configured to use any of the proposed formats...

> 4) What file format shall we use?
> 
> Apache Ant downloads are using  hashsum + LF.
> 
> We are using  hashsum + " *" + filename, which is the format supported by
> md5sum and sha1sum GNU utilities.
> 
> `openssl dgst -sha512 filename` generates "SHA512(" + filename + ")= "
> +hashsum +LF, but I think that openssl does not read this format.
> 
> I think it would better to print just the hashsum value, but I wonder if
> that is supported by sha512sum tool.

I don't believe shaXsum can do that. I can't get the Mac version to do it,
either. If sed/awk/etc can be relied upon, we can always cobble-together
whatever combination of strings we need to make the tools happy.

In what environments do we think that checksums will be verified?

Ant's <checksum> can verify a signature as well as generate one. Is Ant/JVM any
more/less trustworthy than shaXsum/openssl?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to