From f42f54517dd53376a5d677204482bf4ce48531d1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 26 Aug 2014 08:02:28 -0700 Subject: [PATCH] Document that we should also offer sha256 checksums for packages --- docs/internals/howto-release-django.txt | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/internals/howto-release-django.txt b/docs/internals/howto-release-django.txt index 97f3ae08230..7c311ffde77 100644 --- a/docs/internals/howto-release-django.txt +++ b/docs/internals/howto-release-django.txt @@ -194,13 +194,14 @@ OK, this is the fun part, where we actually push out a release! $ md5sum dist/Django-* $ sha1sum dist/Django-* + $ openssl dgst -sha256 dist/Django-* #. Create a "checksums" file containing the hashes and release information. Start with this template and insert the correct version, date, release URL and checksums:: - This file contains MD5 and SHA1 checksums for the source-code tarball - of Django <>, released <>. + This file contains MD5, SHA1, and SHA256 checksums for the source-code + tarball of Django <>, released <>. To use this file, you will need a working install of PGP or other compatible public-key encryption software. You will also need to have @@ -215,7 +216,7 @@ OK, this is the fun part, where we actually push out a release! gpg --verify <> - Once you have verified this file, you can use normal MD5 and SHA1 + Once you have verified this file, you can use normal MD5, SHA1, or SHA256 checksumming applications to generate the checksums of the Django package and compare them to the checksums listed below. @@ -236,6 +237,11 @@ OK, this is the fun part, where we actually push out a release! SHA1(<>)= <> + SHA256 checksum: + ================ + + SHA256(<>)= <> + #. Sign the checksum file (``gpg --clearsign Django-.checksum.txt``). This generates a signed document, ``Django-.checksum.txt.asc`` which you can then verify using ``gpg