GNU bug report logs -
#55666
enhancement request - SHA-256 for emacs downloads
Previous Next
Reported by: Ali Elshishini <shishini <at> outlook.com>
Date: Thu, 26 May 2022 20:27:02 UTC
Severity: wishlist
Tags: wontfix
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55666 in the body.
You can then email your comments to 55666 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Thu, 26 May 2022 20:27:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ali Elshishini <shishini <at> outlook.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Thu, 26 May 2022 20:27:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi
May you please include a list of SHA-256 hashes for the downloads in
https://www.gnu.org/software/emacs/download.html
This will provide an easy and secure way to verify downloads
Please note that the experience to verify the signature on windows is very poor
and it for me at least ended up with the file nor being verified because of missing public key
A SHA-256 hash will be a simple solution
Thanks
Ali
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Fri, 27 May 2022 11:00:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 55666 <at> debbugs.gnu.org (full text, mbox):
Ali Elshishini <shishini <at> outlook.com> writes:
> May you please include a list of SHA-256 hashes for the downloads in
> https://www.gnu.org/software/emacs/download.html
>
> This will provide an easy and secure way to verify downloads
> Please note that the experience to verify the signature on windows is very poor
> and it for me at least ended up with the file nor being verified because of missing
> public key
>
> A SHA-256 hash will be a simple solution
That would require people to edit that web page every time they generate
a package, which would be error prone and require too much work of the
people who build the packages.
The packages are signed, which I think should be more than sufficient,
so I'm closing this bug report.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) wontfix.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Fri, 27 May 2022 11:00:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
55666 <at> debbugs.gnu.org and Ali Elshishini <shishini <at> outlook.com>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Fri, 27 May 2022 11:00:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Fri, 27 May 2022 12:29:01 GMT)
Full text and
rfc822 format available.
Message #15 received at 55666 <at> debbugs.gnu.org (full text, mbox):
> Cc: 55666 <at> debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi <at> gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
>
> Ali Elshishini <shishini <at> outlook.com> writes:
>
> > May you please include a list of SHA-256 hashes for the downloads in
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key
> >
> > A SHA-256 hash will be a simple solution
>
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
>
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.
In addition, one can find the SHA values in the announcements made on
info-gnu-emacs. Here's the one about Emacs 28.1:
https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html
You can similarly search for announcements of the older releases.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Fri, 27 May 2022 14:43:01 GMT)
Full text and
rfc822 format available.
Message #18 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
A checksum file (a file containing all checksums) can be included in the ftp folders
(each folder can have one checksums file for the files it contains)
This way the web page won't have to be updated with every release
Otherwise if you absolutely can't, please add clear instructions on how to verify the downloads using the signatures, I personally tried my best and still failed
Thanks
Ali
Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Lars Ingebrigtsen <larsi <at> gnus.org>
Sent: Friday, May 27, 2022 6:59:25 AM
To: Ali Elshishini <shishini <at> outlook.com>
Cc: 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
Ali Elshishini <shishini <at> outlook.com> writes:
> May you please include a list of SHA-256 hashes for the downloads in
> https://www.gnu.org/software/emacs/download.html
>
> This will provide an easy and secure way to verify downloads
> Please note that the experience to verify the signature on windows is very poor
> and it for me at least ended up with the file nor being verified because of missing
> public key
>
> A SHA-256 hash will be a simple solution
That would require people to edit that web page every time they generate
a package, which would be error prone and require too much work of the
people who build the packages.
The packages are signed, which I think should be more than sufficient,
so I'm closing this bug report.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 00:44:01 GMT)
Full text and
rfc822 format available.
Message #21 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Eli
Thanks for pointing out the announcement email
Unfortunately it doesn't include the SHA hashes for the windows files
Also verify the signature on windows I am not sure if this is the expected output
for me look like it failed
From command line
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz <at> gnu.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg: using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key
PS C:\downloads>
From UI
[cid:ffde0eec-a938-43f4-acc5-c100d4e99514]
I think adding the SHA hashes somewhere remains a valuable addition
using and verifying signature on windows is more complicated than it needs to be
Regards
Ali
________________________________
From: Eli Zaretskii <eliz <at> gnu.org>
Sent: May 27, 2022 8:28 AM
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: shishini <at> outlook.com <shishini <at> outlook.com>; 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
> Cc: 55666 <at> debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi <at> gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
>
> Ali Elshishini <shishini <at> outlook.com> writes:
>
> > May you please include a list of SHA-256 hashes for the downloads in
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key
> >
> > A SHA-256 hash will be a simple solution
>
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
>
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.
In addition, one can find the SHA values in the announcements made on
info-gnu-emacs. Here's the one about Emacs 28.1:
https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html
You can similarly search for announcements of the older releases.
[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 06:16:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 55666 <at> debbugs.gnu.org (full text, mbox):
> From: Ali Elshishini <shishini <at> outlook.com>
> CC: "55666 <at> debbugs.gnu.org" <55666 <at> debbugs.gnu.org>
> Date: Sat, 28 May 2022 00:43:28 +0000
>
> Thanks for pointing out the announcement email
> Unfortunately it doesn't include the SHA hashes for the windows files
You never said in your original message that this is about the Windows
binaries.
The Windows precompiled binaries are produced by volunteers who are
only loosely associated with the Emacs project. The project releases
Emacs as source tarballs, and the SHA checksums for that are in the
announcement. I've CC'ed Corwin, who produced the latest binaries of
Emacs 28.1.
For the Windows binaries, providing the SHA checksums is entirely up
to the person(s) who makes the binaries available.
> Also verify the signature on windows I am not sure if this is the expected output
> for me look like it failed
>
> >From command line
>
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys
> 17E90D521672C04631B1183EE78DAE0F3115E06B
> gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz <at> gnu.org>" not changed
> gpg: Total number processed: 1
> gpg: unchanged: 1
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
> gpg: assuming signed data in '.\emacs-28.1.zip'
> gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
> gpg: using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
> gpg: Can't check signature: No public key
> PS C:\downloads>
You are using the wrong GPG key: my key was used to sign the source
tarballs, not the Windows binary zip files. The Windows binaries were
signed by Corwin Brust's key as the Download page says. You need to
fetch that key, not mine.
> I think adding the SHA hashes somewhere remains a valuable addition
> using and verifying signature on windows is more complicated than it needs to be
That may be so, but this activity is based on volunteers doing this on
their free time. We can only ask them to do what their time and
resources allow.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 17:15:01 GMT)
Full text and
rfc822 format available.
Message #27 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Corwin,
Can you please consider including a SHA-256 hash for the windows binaries
Also can you please share your version of this command
gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
So we may be able to verify the signature
Or add any other instruction on how to verify the signature on Windows
And thanks ELI for all the info you provided
Thanks
Ali
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 19:07:01 GMT)
Full text and
rfc822 format available.
Message #30 received at 55666 <at> debbugs.gnu.org (full text, mbox):
> From: Ali Elshishini <shishini <at> outlook.com>
> CC: "larsi <at> gnus.org" <larsi <at> gnus.org>, "55666 <at> debbugs.gnu.org"
> <55666 <at> debbugs.gnu.org>
> Date: Sat, 28 May 2022 17:14:26 +0000
>
> Also can you please share your version of this command
>
> gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
That's easy: you need to use the correct key signature. The signature
is shown on the download page:
ECE7 7CF4 17C7 6C1A CFCE 7C2B 5B61 3551 1580 F007
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 19:18:01 GMT)
Full text and
rfc822 format available.
Message #33 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks All
But again, verifying the signature on windows doesn't seem to instill confidence at all
Corvwin doesnt have a certified key
I am not a certificate expert, so I dont know how all of this works
So, I still hope Corwin or the Windows Binaries volunteers will still be able to provide
SHA-256 hashes
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: key 5B6135511580F007: public key "Corwin Brust <corwin <at> bru.st>" imported
gpg: Total number processed: 1
gpg: imported: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg: using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Good signature from "Corwin Brust <corwin <at> bru.st>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ECE7 7CF4 17C7 6C1A CFCE 7C2B 5B61 3551 1580 F007
Regards
Ali
________________________________
From: Eli Zaretskii <eliz <at> gnu.org>
Sent: May 28, 2022 3:06 PM
To: Ali Elshishini <shishini <at> outlook.com>
Cc: corwin <at> bru.st <corwin <at> bru.st>; larsi <at> gnus.org <larsi <at> gnus.org>; 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
> From: Ali Elshishini <shishini <at> outlook.com>
> CC: "larsi <at> gnus.org" <larsi <at> gnus.org>, "55666 <at> debbugs.gnu.org"
> <55666 <at> debbugs.gnu.org>
> Date: Sat, 28 May 2022 17:14:26 +0000
>
> Also can you please share your version of this command
>
> gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
That's easy: you need to use the correct key signature. The signature
is shown on the download page:
ECE7 7CF4 17C7 6C1A CFCE 7C2B 5B61 3551 1580 F007
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 19:28:02 GMT)
Full text and
rfc822 format available.
Message #36 received at 55666 <at> debbugs.gnu.org (full text, mbox):
> From: Ali Elshishini <shishini <at> outlook.com>
> CC: "corwin <at> bru.st" <corwin <at> bru.st>, "larsi <at> gnus.org" <larsi <at> gnus.org>,
> "55666 <at> debbugs.gnu.org" <55666 <at> debbugs.gnu.org>
> Date: Sat, 28 May 2022 19:17:49 +0000
>
> But again, verifying the signature on windows doesn't seem to instill confidence at all
> Corvwin doesnt have a certified key
> I am not a certificate expert, so I dont know how all of this works
>
> So, I still hope Corwin or the Windows Binaries volunteers will still be able to provide
> SHA-256 hashes
Hey, I just answered a question you asked, that's all. I assumed that
if you are asking it, it is important for you to know the answer.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 20:32:01 GMT)
Full text and
rfc822 format available.
Message #39 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I apologize if it sounded like I am coming out too strong in any way
I really appreciate you taking the time to reply
And I completely understand that neither you or Corwin, have any obligation to fix this issue or enhance the situation
Thanks
Ali
________________________________
From: Eli Zaretskii <eliz <at> gnu.org>
Sent: May 28, 2022 3:27 PM
To: Ali Elshishini <shishini <at> outlook.com>
Cc: corwin <at> bru.st <corwin <at> bru.st>; larsi <at> gnus.org <larsi <at> gnus.org>; 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
Hey, I just answered a question you asked, that's all. I assumed that
if you are asking it, it is important for you to know the answer.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sat, 28 May 2022 22:10:01 GMT)
Full text and
rfc822 format available.
Message #42 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hastily top posting to say ACK and that I'll reply in again when I am at my
computer and will share sha1 sums from my local copies then.
On Sat, May 28, 2022, 15:31 Ali Elshishini <shishini <at> outlook.com> wrote:
> I apologize if it sounded like I am coming out too strong in any way
> I really appreciate you taking the time to reply
>
> And I completely understand that neither you or Corwin, have any
> obligation to fix this issue or enhance the situation
>
> Thanks
> Ali
> ------------------------------
> *From:* Eli Zaretskii <eliz <at> gnu.org>
> *Sent:* May 28, 2022 3:27 PM
> *To:* Ali Elshishini <shishini <at> outlook.com>
> *Cc:* corwin <at> bru.st <corwin <at> bru.st>; larsi <at> gnus.org <larsi <at> gnus.org>;
> 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
> *Subject:* Re: bug#55666: enhancement request - SHA-256 for emacs
> downloads
>
>
>
> Hey, I just answered a question you asked, that's all. I assumed that
> if you are asking it, it is important for you to know the answer.
>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sun, 29 May 2022 07:43:01 GMT)
Full text and
rfc822 format available.
Message #45 received at 55666 <at> debbugs.gnu.org (full text, mbox):
On Fri, May 27, 2022 at 6:46 AM Ali Elshishini <shishini <at> outlook.com> wrote:
>
> A checksum file (a file containing all checksums) can be included in the ftp folders
> (each folder can have one checksums file for the files it contains)
I think this is a great idea. If nobody objects, I'll start including
something along these lines with my next upload of Windows binaries
(or maybe sooner, backfilling something for 28.1).
For the moment, you can get SHA1 sums for all (or at least, nearly
all) the binaries I've created from here:
https://corwin.bru.st/emacs-28/README
(The parent folder --which has indexing enabled-- is where I've been
staging my files before uploading to the GNU FTP servers and often
includes other builds that I don't plan to upload.)
If these don't work LMK and I'll regenerate the README file. I do
have a script for that but it will take a little fooling around to
make it worthly of including on the GNU FTP site (presuming others
agree with me your idea of adding files with SHA1 information to the
FTP folders is a good one).
Thanks for the suggestion.
BTW, you can also get my public key from Savannah by clicking "Download GPG
Key" from my profile page, here:
https://savannah.gnu.org/users/carlc
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sun, 29 May 2022 17:09:02 GMT)
Full text and
rfc822 format available.
Message #48 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
First sorry for top posting, I am using hotmail/outlook, and dont know how to setup bottom posting
Also honestly, I never really knew about this convention of bottom posting
Second, that a lot Corwin, adding the SHA hashes will be great
Finally, just my 2 cent, SHA1 is to my knowledge is considered obsolete and broken https://en.wikipedia.org/wiki/SHA-1
So I think SHA-256 should be enough, and if you want to can consider SHA-512
Most project I see use SHA-256, and only very few offer or use SHA-512
Thanks
Ali
________________________________
From: Corwin Brust <corwin <at> bru.st>
Sent: May 29, 2022 3:42 AM
To: Ali Elshishini <shishini <at> outlook.com>
Cc: Lars Ingebrigtsen <larsi <at> gnus.org>; 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
On Fri, May 27, 2022 at 6:46 AM Ali Elshishini <shishini <at> outlook.com> wrote:
>
> A checksum file (a file containing all checksums) can be included in the ftp folders
> (each folder can have one checksums file for the files it contains)
I think this is a great idea. If nobody objects, I'll start including
something along these lines with my next upload of Windows binaries
(or maybe sooner, backfilling something for 28.1).
For the moment, you can get SHA1 sums for all (or at least, nearly
all) the binaries I've created from here:
https://corwin.bru.st/emacs-28/README
(The parent folder --which has indexing enabled-- is where I've been
staging my files before uploading to the GNU FTP servers and often
includes other builds that I don't plan to upload.)
If these don't work LMK and I'll regenerate the README file. I do
have a script for that but it will take a little fooling around to
make it worthly of including on the GNU FTP site (presuming others
agree with me your idea of adding files with SHA1 information to the
FTP folders is a good one).
Thanks for the suggestion.
BTW, you can also get my public key from Savannah by clicking "Download GPG
Key" from my profile page, here:
https://savannah.gnu.org/users/carlc
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sun, 29 May 2022 18:54:02 GMT)
Full text and
rfc822 format available.
Message #51 received at 55666 <at> debbugs.gnu.org (full text, mbox):
On Sun, May 29, 2022 at 12:08 PM Ali Elshishini <shishini <at> outlook.com> wrote:
>
> First sorry for top posting, I am using hotmail/outlook, and dont know how to setup bottom posting
> Also honestly, I never really knew about this convention of bottom posting
It's not a problem for me; more of a "netiquette" WRT to mailing
lists, in general.
> Second, that a lot Corwin, adding the SHA hashes will be great
Let see if others voice opinions; if not I'm happy to start doing that.
> Finally, just my 2 cent, SHA1 is to my knowledge is considered obsolete and broken https://en.wikipedia.org/wiki/SHA-1
> So I think SHA-256 should be enough, and if you want to can consider SHA-512
I'm not convinced of any practical benefit to SHA256 (or 512) WRT
verification of data integrity (although I do understand SHA1 isn't
recommended for encryption/cryptographic use-cases.
That said, here are SHA256 sums for the present binaries for Emacs 28.1:
c31fc9e1b48eeb3a50dcc161e4749b304d25e23bf33c287b50bfe9e3f4742577
*emacs-28.1-installer.exe
da25ef9e067d630995c43faf460f991c4d5b2020a0fc02c7a7955069bf977508
*emacs-28.1-no-deps.zip
9006f875255056af0bb318298537f66353806b64eee0c3a593c5862328e685fc *emacs-28.1.zip
9c8c6066a4a1a4f68b44a0158af255ebe8671a5bcd6fb5e9db7fea26b6a3d4eb
*emacs-28.1-DEBUG-installer.exe
659b8281c301ea1c2e03b6bf935f1e488ed4f4d787cb4e7c23fce494193b6525
*emacs-28.1-DEBUG-no-deps.zip
3962e056ef58b32ad9b175a7e2ea3ed6e18c397f4825bb9756bef6e5606b930e
*emacs-28.1-DEBUG.zip
8f963ced4d88c4ed802676f59f2417b660cf8c494bd9bf9fe19bb4ca1be2a940
*emacs-28-deps-mingw-w64-src.zip
ba7e56f76a1d550add33dc4d28bb8e1dcd6d5882cb2be03b30441491873c01d5
*emacs-28-deps.zip
Please do let me know if signatures appear to be a mismatch with what
you have downloaded.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#55666; Package
emacs.
(Sun, 29 May 2022 19:48:02 GMT)
Full text and
rfc822 format available.
Message #54 received at 55666 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
the hash dont match
PS C:\downloads> Get-FileHash -Algorithm SHA256 .\emacs-28.1.zip | select -ExpandProperty hash | % tolower
0ef568df955fec4721634336585968fe593f3b008fce936a464fb524e5a3f009
Your hash is
9006f875255056af0bb318298537f66353806b64eee0c3a593c5862328e685fc *emacs-28.1.zip
I redownloaded the file from https://ftp.gnu.org/gnu/emacs/windows/emacs-28/
just to be sure
Thanks
Ali
________________________________
From: Corwin Brust <corwin <at> bru.st>
Sent: May 29, 2022 2:53 PM
To: Ali Elshishini <shishini <at> outlook.com>
Cc: Lars Ingebrigtsen <larsi <at> gnus.org>; 55666 <at> debbugs.gnu.org <55666 <at> debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
On Sun, May 29, 2022 at 12:08 PM Ali Elshishini <shishini <at> outlook.com> wrote:
>
> First sorry for top posting, I am using hotmail/outlook, and dont know how to setup bottom posting
> Also honestly, I never really knew about this convention of bottom posting
It's not a problem for me; more of a "netiquette" WRT to mailing
lists, in general.
> Second, that a lot Corwin, adding the SHA hashes will be great
Let see if others voice opinions; if not I'm happy to start doing that.
> Finally, just my 2 cent, SHA1 is to my knowledge is considered obsolete and broken https://en.wikipedia.org/wiki/SHA-1
> So I think SHA-256 should be enough, and if you want to can consider SHA-512
I'm not convinced of any practical benefit to SHA256 (or 512) WRT
verification of data integrity (although I do understand SHA1 isn't
recommended for encryption/cryptographic use-cases.
That said, here are SHA256 sums for the present binaries for Emacs 28.1:
c31fc9e1b48eeb3a50dcc161e4749b304d25e23bf33c287b50bfe9e3f4742577
*emacs-28.1-installer.exe
da25ef9e067d630995c43faf460f991c4d5b2020a0fc02c7a7955069bf977508
*emacs-28.1-no-deps.zip
9006f875255056af0bb318298537f66353806b64eee0c3a593c5862328e685fc *emacs-28.1.zip
9c8c6066a4a1a4f68b44a0158af255ebe8671a5bcd6fb5e9db7fea26b6a3d4eb
*emacs-28.1-DEBUG-installer.exe
659b8281c301ea1c2e03b6bf935f1e488ed4f4d787cb4e7c23fce494193b6525
*emacs-28.1-DEBUG-no-deps.zip
3962e056ef58b32ad9b175a7e2ea3ed6e18c397f4825bb9756bef6e5606b930e
*emacs-28.1-DEBUG.zip
8f963ced4d88c4ed802676f59f2417b660cf8c494bd9bf9fe19bb4ca1be2a940
*emacs-28-deps-mingw-w64-src.zip
ba7e56f76a1d550add33dc4d28bb8e1dcd6d5882cb2be03b30441491873c01d5
*emacs-28-deps.zip
Please do let me know if signatures appear to be a mismatch with what
you have downloaded.
[Message part 2 (text/html, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 27 Jun 2022 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 359 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.