Hi, On Wed, Feb 17, 2010 at 4:22 PM, Richard Hirsch <[email protected]> wrote: > Working on the problerm with signing the release and I'm getting the same > problem that Bertrand describes. Maybe it is a difference between using SHA1 > and SHA512. ..
Ah ok - I assumed SHA1 (and my openssl doesn't do sha512), but re-reading http://www.apache.org/dev/release-signing.html I see that SHA512 is recommended there, with a .sha extension. If you generate an SHA512 digest (which is fine), using an .sha512 extension instead would IMHO make it clearer which digest algorithm is used. For Sling releases we use .sha1 (http://www.apache.org/dist/sling/) - I think using just .sha leaves room for confusion, as happened to me ;-) -Bertrand
