On Thu, Mar 02 2017, David Bremner <david@tethera.net> wrote: > SHA1 is weak/broken. > --- I'd just have 'build: use sha256sum instead of sha1sum to sign releases' as a commit message. Anyway, LGTM. Tomi PS: this is sha-2 256 -- that makes me wonder what will be the file suffix for sha-3 256 (or for any other bits...) > Makefile.global | 4 ++-- > Makefile.local | 9 ++++----- > 2 files changed, 6 insertions(+), 7 deletions(-) > > diff --git a/Makefile.global b/Makefile.global > index d8f335af..7a78e9b5 100644 > --- a/Makefile.global > +++ b/Makefile.global > @@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases > TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz > ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar > DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz > -SHA1_FILE=$(TAR_FILE).sha1 > -GPG_FILE=$(SHA1_FILE).asc > +SHA256_FILE=$(TAR_FILE).sha256 > +GPG_FILE=$(SHA256_FILE).asc > > PV_FILE=bindings/python/notmuch/version.py > > diff --git a/Makefile.local b/Makefile.local > index 3548ed96..d2ef3e08 100644 > --- a/Makefile.local > +++ b/Makefile.local > @@ -36,12 +36,11 @@ $(TAR_FILE): > gzip < $(TAR_FILE).tmp > $(TAR_FILE) > @echo "Source is ready for release in $(TAR_FILE)" > > -$(SHA1_FILE): $(TAR_FILE) > - sha1sum $^ > $@ > +$(SHA256_FILE): $(TAR_FILE) > + sha256sum $^ > $@ > > -$(GPG_FILE): $(SHA1_FILE) > - @echo "Please enter your GPG password to sign the checksum." > - gpg --armor --sign $^ > +$(GPG_FILE): $(SHA256_FILE) > + gpg --armor --sign $^ > > .PHONY: dist > dist: $(TAR_FILE) > -- > 2.11.0 > > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > https://notmuchmail.org/mailman/listinfo/notmuch