Summary: | [PATCH] Provide sha1 checksum files for Tomcat downloads | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | Konstantin Kolinko <knst.kolinko> |
Component: | Native:Packaging | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | P2 | ||
Version: | 6.0.43 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: |
2014-12-12_tc9_57344_sha1.patch
2014-12-14_tc6_57344_sha1.patch |
Description
Konstantin Kolinko
2014-12-12 00:38:18 UTC
Created attachment 32286 [details]
2014-12-12_tc9_57344_sha1.patch
(In reply to Konstantin Kolinko from comment #0) > 3) I do not have a command-line tool to automatically verify sha-512. > > There exist sha512sum from GNU, > http://www.gnu.org/software/coreutils/manual/coreutils.html#sha2-utilities > > but GnuWin32 CoreUtils do not have this tool. The 'sha512sum' command exists on both Debian and Amazon Linux (CentOS/RHEL compatible), and so I would imagine it's available on most Linux distributions. Mac OS X has 'shasum -a 512' which "mimics the behavior of GNU shaXsum" (according to the man page). As we use Apache Ant for building, why not just use <checksum>? https://ant.apache.org/manual/Tasks/checksum.html It can be configured to use any of the proposed formats... > 4) What file format shall we use? > > Apache Ant downloads are using hashsum + LF. > > We are using hashsum + " *" + filename, which is the format supported by > md5sum and sha1sum GNU utilities. > > `openssl dgst -sha512 filename` generates "SHA512(" + filename + ")= " > +hashsum +LF, but I think that openssl does not read this format. > > I think it would better to print just the hashsum value, but I wonder if > that is supported by sha512sum tool. I don't believe shaXsum can do that. I can't get the Mac version to do it, either. If sed/awk/etc can be relied upon, we can always cobble-together whatever combination of strings we need to make the tools happy. In what environments do we think that checksums will be verified? Ant's <checksum> can verify a signature as well as generate one. Is Ant/JVM any more/less trustworthy than shaXsum/openssl? +0 to the patch. No objections but what is the benefit? Re sha2: 1. As above. What is the benefit. 2. I'm less concerned about what other ASF projects are doing and more concerned about what the benefit of is doing it is. 2b) I'll see if I can get that fixed. 3. I use cyohash. It doesn't support the exact formats but it is good enough for validating. 4. The same format as we do for sha1 unless there is a good reason not to. > No objections but what is the benefit? My concern is that there have been actual malware that exploited weakness in MD5 (Flame, as mentioned in Wikipedia article on MD5). As such I think that md5 is not enough to verify a file integrity. https://en.wikipedia.org/wiki/MD5 > Re sha2: > 1. As above. What is the benefit. I am neutral on sha2. I just think that it is easier to add it now while this task is in our scope. > 4. The same format as we do for sha1 unless there is a good reason not to. Ack. I am opting for "{hash} *{filename}" format then. Apache Ant can be used to validate it, among other options. Thank you for your review. A note on backporting to Tomcat 6: 1) GPG support (<target name="sign") does not exist in Tomcat 6. I think it makes sense to backport that as well. Revisions for this feature are r1231923, r1231947 and r1232368 (January 2012). 2) md5sum is calculated both in extras.xml and dist.xml Created attachment 32287 [details] 2014-12-14_tc6_57344_sha1.patch Patch for Tomcat 6. Add sha1 checksums. I am not backporting GPG signing. (In reply to Konstantin Kolinko from comment #6) > A note on backporting to Tomcat 6: To avoid special-casing the extras, it is possible to implement signing differently from Tomcat 7: sign all files in one step. In Ant there exists <apply/> task, that runs an external executable over a set of files. |