Document that we should also offer sha256 checksums for packages

This commit is contained in:
Alex Gaynor 2014-08-26 08:02:28 -07:00
parent 4c85a0d95f
commit f42f54517d
1 changed files with 9 additions and 3 deletions

View File

@ -194,13 +194,14 @@ OK, this is the fun part, where we actually push out a release!
$ md5sum dist/Django-* $ md5sum dist/Django-*
$ sha1sum dist/Django-* $ sha1sum dist/Django-*
$ openssl dgst -sha256 dist/Django-*
#. Create a "checksums" file containing the hashes and release information. #. Create a "checksums" file containing the hashes and release information.
Start with this template and insert the correct version, date, release URL Start with this template and insert the correct version, date, release URL
and checksums:: and checksums::
This file contains MD5 and SHA1 checksums for the source-code tarball This file contains MD5, SHA1, and SHA256 checksums for the source-code
of Django <<VERSION>>, released <<DATE>>. tarball of Django <<VERSION>>, released <<DATE>>.
To use this file, you will need a working install of PGP or other To use this file, you will need a working install of PGP or other
compatible public-key encryption software. You will also need to have compatible public-key encryption software. You will also need to have
@ -215,7 +216,7 @@ OK, this is the fun part, where we actually push out a release!
gpg --verify <<THIS FILENAME>> gpg --verify <<THIS FILENAME>>
Once you have verified this file, you can use normal MD5 and SHA1 Once you have verified this file, you can use normal MD5, SHA1, or SHA256
checksumming applications to generate the checksums of the Django checksumming applications to generate the checksums of the Django
package and compare them to the checksums listed below. package and compare them to the checksums listed below.
@ -236,6 +237,11 @@ OK, this is the fun part, where we actually push out a release!
SHA1(<<RELEASE TAR.GZ FILENAME>>)= <<SHA1SUM>> SHA1(<<RELEASE TAR.GZ FILENAME>>)= <<SHA1SUM>>
SHA256 checksum:
================
SHA256(<<RELEASE TAR.GZ FILENAME>>)= <<SHA256SUM>>
#. Sign the checksum file (``gpg --clearsign #. Sign the checksum file (``gpg --clearsign
Django-<version>.checksum.txt``). This generates a signed document, Django-<version>.checksum.txt``). This generates a signed document,
``Django-<version>.checksum.txt.asc`` which you can then verify using ``gpg ``Django-<version>.checksum.txt.asc`` which you can then verify using ``gpg