The 'announce-gen' script shows SHA256 sums in a way that are hard to verify and understand for the users: - Verifying requires a special command that is not easy to remember. - Verifying requires special tools that do not exist on all systems. - Understand why one checksum uses hex digits and the other is base64 ?
AFAICS, it all came about because the original way to present the SHA256 checksum exceeded the 80-columns line limit. [1] was an attempt to mitigate 2 among the 3 problems mentioned above. Here's a patch to change it back to a simple display that fits in 80 columns and can be verified with less contortions. Instead of the output: ------------------------------------------------------------------------------ Here are the SHA1 and SHA256 checksums: c31ae593a7c51f805645914ca206991e072760d9 gettext-0.23.tar.gz lF3XACoC3XEIrQUQYC4TQWtB0yeJjPhSIgG8avEJB6Y= gettext-0.23.tar.gz 76a00a8abaf89efc516d9d6fcad4896e06428219 gettext-0.23.tar.lz mHiZSTCo4J8eMYYgOz/yrMssTmfdxgmLLB5KdDZNPFo= gettext-0.23.tar.lz 150efc2f9922cd4bb7fbb9d5c72ed3b2d1b60e3e gettext-0.23.tar.xz vzGptr3z42RmnHvZhY+X5KDECKjSKUDF1Ktji2VGD4U= gettext-0.23.tar.xz Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007. ------------------------------------------------------------------------------ it produces ------------------------------------------------------------------------------ Here are the SHA1 and SHA256 checksums: File: gettext-0.23.tar.gz SHA1 sum: c31ae593a7c51f805645914ca206991e072760d9 SHA256 sum: 945dd7002a02dd7108ad0510602e13416b41d327898cf8522201bc6af10907a6 File: gettext-0.23.tar.lz SHA1 sum: 76a00a8abaf89efc516d9d6fcad4896e06428219 SHA256 sum: 9878994930a8e09f1e3186203b3ff2accb2c4e67ddc6098b2c1e4a74364d3c5a File: gettext-0.23.tar.xz SHA1 sum: 150efc2f9922cd4bb7fbb9d5c72ed3b2d1b60e3e SHA256 sum: bf31a9b6bdf3e364669c7bd9858f97e4a0c408a8d22940c5d4ab638b65460f85 ------------------------------------------------------------------------------ If someone disagrees and wants the base64-wrapped thing back, I would propose to add a command-line option to 'announce-gen' for this purpose. [1] https://lists.gnu.org/archive/html/bug-gnulib/2023-02/msg00172.html 2024-12-01 Bruno Haible <br...@clisp.org> announce-gen: Show an SHA256 sum that can be verified more easily. * build-aux/announce-gen (print_checksums): Output SHA256 sum in hex, instead of base64 wrapped. diff --git a/build-aux/announce-gen b/build-aux/announce-gen index be17541c89..0ec065a437 100755 --- a/build-aux/announce-gen +++ b/build-aux/announce-gen @@ -168,6 +168,9 @@ Print the SHA1 and SHA256 signature section for each C<@file>. # This digest function omits the "=" padding that is required by cksum, # so add the 0..2 bytes of padding required for each of Digest's algorithms. +# To verify such a digest, users need +# - a particular command ('cksum -a sha256 --check') +# - and particular tools (coreutils >= 9.2 or OpenBSD's cksum since 2007). sub digest_file_base64_wrap ($$) { my ($file, $alg) = @_; @@ -188,11 +191,11 @@ sub print_checksums (@) foreach my $f (@file) { - print ' ', digest_file_hex ($f, "SHA-1"), " $f\n"; - print ' ', digest_file_base64_wrap ($f, "SHA-256"), " $f\n"; + print " File: $f\n"; + print ' SHA1 sum: ', digest_file_hex ($f, "SHA-1"), "\n"; + print ' SHA256 sum: ', digest_file_hex ($f, "SHA-256"), "\n"; + print "\n"; } - print "\nVerify the base64 SHA256 checksum with cksum -a sha256 --check\n"; - print "from coreutils-9.2 or OpenBSD's cksum since 2007.\n\n"; } =item C<print_news_deltas ($news_file, $prev_version, $curr_version)
