To verify that I’ve downloaded a Hadoop release correctly, I can just do
this:

$ shasum --check hadoop-2.7.5.tar.gz.sha256
hadoop-2.7.5.tar.gz: OK

However, since we generate Spark release hashes with GPG
<https://github.com/apache/spark/blob/c2632edebd978716dbfa7874a2fc0a8f5a4a9951/dev/create-release/release-build.sh#L167-L168>,
the resulting hash is in a format that doesn’t play well with any tools:

$ shasum --check spark-2.3.0-bin-hadoop2.7.tgz.sha512
shasum: spark-2.3.0-bin-hadoop2.7.tgz.sha512: no properly formatted
SHA1 checksum lines found

GPG doesn’t seem to offer a way to verify a file from a hash.

I know I can always manipulate the SHA512 hash into a different format or
just manually inspect it, but as a “quality of life” improvement can we
change how we generate the SHA512 hash so that it plays nicely with shasum?
If it’s too disruptive to change the format of the SHA512 hash, can we add
a SHA256 hash to our releases in this format?

I suppose if it’s not easy to update or add hashes to our existing
releases, it may be too difficult to change anything here. But I’m not
sure, so I thought I’d ask.

Nick
​

Reply via email to