From 03c9c04353ce1b5ace33fddd5bd99059e63ed507 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Wed, 26 Sep 2018 15:31:26 +0200 Subject: [PATCH] LUCENE-8493: Stop publishing insecure .sha1 files with releases --- dev-tools/scripts/prep-solr-ref-guide-rc.sh | 4 +--- dev-tools/scripts/smokeTestRelease.py | 13 ++----------- lucene/CHANGES.txt | 2 ++ lucene/common-build.xml | 1 - solr/solr-ref-guide/src/meta-docs/publish.adoc | 7 +++---- 5 files changed, 8 insertions(+), 19 deletions(-) diff --git a/dev-tools/scripts/prep-solr-ref-guide-rc.sh b/dev-tools/scripts/prep-solr-ref-guide-rc.sh index ff9985d7ced..a7bcc3bc7e6 100755 --- a/dev-tools/scripts/prep-solr-ref-guide-rc.sh +++ b/dev-tools/scripts/prep-solr-ref-guide-rc.sh @@ -20,7 +20,7 @@ # Prepares an RC of the Solr Ref Guide by doing local file operations to: # - create a directory for the RC files # - move the PDF files into the RC directory with the appropriate name -# - generate SHA1 and SHA512 of the PDF file +# - generate SHA512 of the PDF file # - GPG sign the PDF files # # See: https://cwiki.apache.org/confluence/display/solr/Internal+-+How+To+Publish+This+Documentation @@ -63,7 +63,6 @@ fi PREFIX="apache-solr-ref-guide" DIR="$PREFIX-$VER_RC" PDF="$PREFIX-$VER.pdf" -SHA="$PDF.sha1" SHA512="$PDF.sha512" GPG="$PDF.asc" @@ -85,7 +84,6 @@ set -x mkdir $DIR || exit 1 mv $SRC_FILE $DIR/$PDF || exit 1 cd $DIR || exit 1 -shasum $PDF > $SHA || exit 1 shasum -a 512 $PDF > $SHA512 || exit 1 gpg $GPG_ID_ARG --armor --output $GPG --detach-sig $PDF|| exit 1 diff --git a/dev-tools/scripts/smokeTestRelease.py b/dev-tools/scripts/smokeTestRelease.py index 70bea24af20..82f3d27c004 100644 --- a/dev-tools/scripts/smokeTestRelease.py +++ b/dev-tools/scripts/smokeTestRelease.py @@ -295,7 +295,7 @@ def checkSigs(project, urlString, version, tmpDir, isSigned, keysFile): expectedSigs = [] if isSigned: expectedSigs.append('asc') - expectedSigs.extend(['sha1', 'sha512']) + expectedSigs.extend(['sha512']) artifacts = [] for text, subURL in ents: @@ -538,29 +538,20 @@ def run(command, logFile): raise RuntimeError('command "%s" failed; see log file %s' % (command, logPath)) def verifyDigests(artifact, urlString, tmpDir): - print(' verify sha1/sha512 digests') - sha1Expected, t = load(urlString + '.sha1').strip().split() - if t != '*'+artifact: - raise RuntimeError('SHA1 %s.sha1 lists artifact %s but expected *%s' % (urlString, t, artifact)) - + print(' verify sha512 digest') sha512Expected, t = load(urlString + '.sha512').strip().split() if t != '*'+artifact: raise RuntimeError('SHA512 %s.sha512 lists artifact %s but expected *%s' % (urlString, t, artifact)) - s = hashlib.sha1() s512 = hashlib.sha512() f = open('%s/%s' % (tmpDir, artifact), 'rb') while True: x = f.read(65536) if len(x) == 0: break - s.update(x) s512.update(x) f.close() - sha1Actual = s.hexdigest() sha512Actual = s512.hexdigest() - if sha1Actual != sha1Expected: - raise RuntimeError('SHA1 digest mismatch for %s: expected %s but got %s' % (artifact, sha1Expected, sha1Actual)) if sha512Actual != sha512Expected: raise RuntimeError('SHA512 digest mismatch for %s: expected %s but got %s' % (artifact, sha512Expected, sha512Actual)) diff --git a/lucene/CHANGES.txt b/lucene/CHANGES.txt index 60afb58e07e..3b10c16881c 100644 --- a/lucene/CHANGES.txt +++ b/lucene/CHANGES.txt @@ -182,6 +182,8 @@ Build * LUCENE-8504: Upgrade forbiddenapis to version 2.6. (Uwe Schindler) +* LUCENE-8493: Stop publishing insecure .sha1 files with releases (janhoy) + ======================= Lucene 7.5.1 ======================= Bug Fixes: diff --git a/lucene/common-build.xml b/lucene/common-build.xml index 0d38822df48..1a6839bcb77 100644 --- a/lucene/common-build.xml +++ b/lucene/common-build.xml @@ -2296,7 +2296,6 @@ ${ant.project.name}.test.dependencies=${test.classpath.list} Building checksums for '@{file}' - diff --git a/solr/solr-ref-guide/src/meta-docs/publish.adoc b/solr/solr-ref-guide/src/meta-docs/publish.adoc index 78ef29000b7..70112ba90c1 100644 --- a/solr/solr-ref-guide/src/meta-docs/publish.adoc +++ b/solr/solr-ref-guide/src/meta-docs/publish.adoc @@ -71,7 +71,7 @@ These steps walk through checking out this directory and uploading the Guide to IMPORTANT: The next step requires that you have already generated your GPG keys. Your GPG passphrase will be required. [start=3] -. Run the Prep Ref Guide script to prepare the RC. This script ensures proper naming of the PDF file, generates `.sha1`, +. Run the Prep Ref Guide script to prepare the RC. This script ensures proper naming of the PDF file, generates `.sha512` and `.asc` files and creates the proper RC sub-directories under `solr-ref-guide-rc`. .. The structure of the input is: `prep-solr-ref-guide-rc.sh GPGkey`. .. From the `solr-ref-guide-rc` directory, it will look something like this: @@ -83,7 +83,6 @@ $ ~/lucene-source/dev-tools/scripts/prep-solr-ref-guide-rc.sh apache-solr-ref-gu + mkdir apache-solr-ref-guide-7.0-RC0 + mv apache-solr-ref-guide-7.0.pdf apache-solr-ref-guide-7.0-RC0/apache-solr-ref-guide-7.0.pdf + cd apache-solr-ref-guide-7.0-RC0 -+ shasum apache-solr-ref-guide-7.0.pdf + shasum -a 512 apache-solr-ref-guide-7.0.pdf + gpg -u DEADBEEF --armor --output apache-solr-ref-guide-7.0.pdf.asc --detach-sig apache-solr-ref-guide-7.0.pdf @@ -157,7 +156,7 @@ Once at least three PMC members have voted for release (see https://www.apache.o $ ~/lucene-source/dev-tools/scripts/publish-solr-ref-guide-rc.sh X.Y-RCZ ## Run the following commands when ready... -svn move -m 'publishing apache-solr-ref-guide-X.Y-RCZ' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.asc https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.sha1 https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.sha512 https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/ +svn move -m 'publishing apache-solr-ref-guide-X.Y-RCZ' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.asc https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.sha512 https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/ svn rm -m 'cleaning up apache-solr-ref-guide-X.Y-RCZ' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ ---- @@ -182,7 +181,7 @@ $ ~/lucene-source/dev-tools/scripts/archive-solr-ref-guide.sh X.Y ## Run the following commands when ready... # Delete old releases -svn rm -m 'removing archived ref guide files prior to X.Y' https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.asc https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.sha1 +svn rm -m 'removing archived ref guide files prior to X.Y' https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.asc https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.sha512 # Delete old RC files svn rm -m 'cleaning up old RCs now that X.Y has been released' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RC0/ https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RC1/