[
https://issues.apache.org/jira/browse/HBASE-15630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15235887#comment-15235887
]
Christopher Tubbs commented on HBASE-15630:
-------------------------------------------
Ah, so that's how it's done. That's an interesting way to use gpg... especially
since if a user has GPG in order to do this trick, it'd be better if they
ignore this file and check the signature instead. The hashes seem more useful
for people who don't have, or don't want to use, gpg. In that case, it seems
preferable to use the standardized coreutils format.
A few other comments about the gpg output: if one wishes gpg output to be
consistent and its output scriptable, one should specify {{ gpg --with-colons
}}. In this case, order of output also matters, as does the supported
algorithms. Unfortunately, the {{ gpg --with-colons }} option also substitutes
the algorithm names with a numeric ID, which is less useful for human readers.
That's unfortunate.
At least now I know how it's done. Thanks for the tip!
> Improve checksum files for releases for easier verification
> -----------------------------------------------------------
>
> Key: HBASE-15630
> URL: https://issues.apache.org/jira/browse/HBASE-15630
> Project: HBase
> Issue Type: Wish
> Affects Versions: 1.2.1
> Reporter: Christopher Tubbs
> Priority: Trivial
>
> Trying to verify latest release (1.2.1), and I found it a bit inconvenient to
> parse the *.mds checksum file. The line wrapping, white space, and the
> general format of the file does not lend itself for easy verification.
> I suggest using the standard "coreutils" format for md5sum, sha*sum, etc.,
> instead: <lowercase-hash><space><asterisk(binary-flag)><filename>
> {code}
> # md5
> 3d66c0dd4f38fa881046fe64dd680a7a *hbase-1.2.1-src.tar.gz
> # sha1
> 3666a4829d9a8d9285173bfa8e8d0ff5423a22d6 *hbase-1.2.1-src.tar.gz
> # rmd160
> #fb318e84b6256492cfb990aec2238a64c2da21ad *hbase-1.2.1-src.tar.gz
> # sha224
> 89d341a55069e4875f9e6859737062fd7a4c11596811731c4ba95ca0
> *hbase-1.2.1-src.tar.gz
> # sha256
> e8000a65e98d4c5db7bab54da99a57209fe4ea777ab41e91ae8ccf7bfa2d50dd
> *hbase-1.2.1-src.tar.gz
> # sha384
> 49aa0620bf0fbe20bbde66cecabb76b22defb9ee609936edc3952889e6484e55c88f1c93d6258a2eaab4a9d5188b6170
> *hbase-1.2.1-src.tar.gz
> # sha512
> 28956a35a01ae87e9f733664c52c6fd25f9a60a1ff7047bbf306cd433c2a5b863c9bf05aba1d58792b86eec9943ae00e772c4b76fb81c5d210cf256cd074189b
> *hbase-1.2.1-src.tar.gz
> {code}
> (comment lines added for humans, but ignored by tools; commented out rmd160,
> because not a coreutils supported algorithm; binary flag optional, could use
> another space instead... probably only matters for some dos tools)
> This makes it very easy to verify multiple files and hashes using: {{shasum
> -c file.mds}} or {{sha1sum -c file.mds}} or {{md5sum -c file.mds}}.
> In addition to the file format change, I suggest these two additional changes:
> 1. Drop rmd160. It's not nearly as popular as the others, and it doesn't lend
> itself to easy verification (no coreutils equivalent command like md5sum,
> sha1sum, etc.)
> 2. Concatenate hashes from all files into a single file. This makes it easier
> to verify all downloads at once.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
