Use sha256 for signing release files

Jay Berkenbilt
1 parent 4e8d21d8
Showing 2 changed files with 13 additions and 6 deletions
ChangeLog
README-maintainer
 2020-10-25  Jay Berkenbilt  <ejb@ql.org>
+	* When signing distribution files, generate sha256 checksums
+	instead of md5, sha1, and sha512. sha256 seems to be more widely
+	used, and there's no reason to use md5 or sha1 anymore.
+
 	* Official Windows releases are now built using the openssl crypto
 	provider. The native provider is still available for selection at
 	runtime using the QPDF_CRYPTO_PROVIDER environment variable.
@@ -112,6 +112,11 @@ RELEASE PREPARATION
   search for copyright. Don't forget copyright in manual. Also update
   debian copyright in debian package. Last updated: 2020.
+* Take a look at "External Libraries" in TODO to see if we need to
+  make any changes. There is still some automation work left to do, so
+  handling external-libs releases is still manual. See also
+  README-maintainer in external-libs.
+
 * Check for open fuzz crashes at https://oss-fuzz.com
 * Check lgtm: https://lgtm.com/projects/g/qpdf/qpdf/?mode=list
@@ -244,13 +249,11 @@ gpg --detach-sign --armor qpdf-$version.tar.gz
   Windows binaries, the AppImage, the source tarball, and the source
   tarball signature.
-\rm -f *.{md5,sha1,sha512}
+\rm -f *.sha256
 files=(*)
-for i in md5 sha1 sha512; do
-  ${i}sum ${files[*]} >| qpdf-$version.$i
-  gpg --clearsign --armor qpdf-$version.$i
-  mv qpdf-$version.$i.asc qpdf-$version.$i
-done
+sha256sum ${files[*]} >| qpdf-$version.sha256
+gpg --clearsign --armor qpdf-$version.sha256
+mv qpdf-$version.sha256.asc qpdf-$version.sha256
 chmod 444 *
 chmod 555 *.AppImage