checksums: switch to sha256 for bottles and new formulae

Closes Homebrew/homebrew#37164. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
author: Dominyk Tiller 2015-02-24 23:25:57 +0000
committer: Mike McQuaid 2015-03-05 14:45:39 +0000
commit: 12861686b847f26f50af7d9a9024a0bc4d25b3bd (patch)
tree: 32e62ccfdd7db3302f9408d88f3e13b03392bcf9 /Library
parent: c8835afead119761caa3e38193166387bb5a79f7 (diff)
download: brew-12861686b847f26f50af7d9a9024a0bc4d25b3bd.tar.bz2
6 files changed, 26 insertions, 20 deletions
diff --git a/Library/Contributions/example-formula.rb b/Library/Contributions/example-formula.rb
index e48199f39..fe96551f6 100644
--- a/Library/Contributions/example-formula.rb
+++ b/Library/Contributions/example-formula.rb
@@ -29,17 +29,17 @@ class ExampleFormula < Formula
   # version is seldom needed, because it's usually autodetected from the URL/tag.
   version "1.2-final"
 
-  # For integrity and security, we verify the hash (`openssl dgst -sha1 <FILE>`)
-  # You may also use sha256 if the software uses sha256 on their homepage. Do not use md5.
+  # For integrity and security, we verify the hash (`openssl dgst -sha256 <FILE>`)
+  # You should use SHA256. Never use md5.
   # Either generate the sha locally or leave it empty & `brew install` will tell you the expected.
-  sha1 "cafebabe78901234567890123456789012345678"
+  sha256 "2a2ba417eebaadcb4418ee7b12fe2998f26d6e6f7fda7983412ff66a741ab6f7"
 
   # Stable-only dependencies should be nested inside a `stable` block rather than
   # using a conditional. It is preferrable to also pull the URL and checksum into
   # the block if one is necessary.
   stable do
     url "https://example.com/foo-1.0.tar.gz"
-    sha1 "cafebabe78901234567890123456789012345678"
+    sha256 "2a2ba417eebaadcb4418ee7b12fe2998f26d6e6f7fda7983412ff66a741ab6f7"
 
     depends_on "libxml2"
     depends_on "libffi"
@@ -65,7 +65,7 @@ class ExampleFormula < Formula
   # Use this to specify a not-yet-released version of a software.
   devel do
     url "https://example.com/archive-2.0-beta.tar.gz"
-    sha1 "1234567890123456789012345678901234567890"
+    sha256 "2a2ba417eebaadcb4418ee7b12fe2998f26d6e6f7fda7983412ff66a741ab6f7"
 
     depends_on "cairo"
     depends_on "pixman"
@@ -97,9 +97,9 @@ class ExampleFormula < Formula
     prefix "/opt/homebrew" # Optional HOMEBREW_PREFIX in which the bottles were built.
     cellar "/opt/homebrew/Cellar" # Optional HOMEBREW_CELLAR in which the bottles were built.
     revision 1 # Making the old bottle outdated without bumping the version of the formula.
-    sha1 "d3d13fe6f42416765207503a946db01378131d7b" => :yosemite
-    sha1 "cdc48e79de2dee796bb4ba1ad987f6b35ce1c1ee" => :mavericks
-    sha1 "a19b544c8c645d7daad1d39a070a0eb86dfe9b9c" => :mountain_lion
+    sha256 "2a2ba417eebaadcb4418ee7b12fe2998f26d6e6f7fda7983412ff66a741ab6f7" => :yosemite
+    sha256 "2a2ba417eebaadcb4418ee7b12fe2998f26d6e6f7fda7983412ff66a741ab6f7" => :mavericks
+    sha256 "2a2ba417eebaadcb4418ee7b12fe2998f26d6e6f7fda7983412ff66a741ab6f7" => :mountain_lion
   end
 
   def pour_bottle?
@@ -204,7 +204,7 @@ class ExampleFormula < Formula
   # head block. This mechanism replaces ad-hoc "subformula" classes.
   resource "additional_files" do
     url "https://example.com/additional-stuff.tar.gz"
-    sha1 "deadbeef7890123456789012345678901234567890"
+    sha256 "c6bc3f48ce8e797854c4b865f6a8ff969867bbcaebd648ae6fd825683e59fef2"
   end
 
 
@@ -213,14 +213,14 @@ class ExampleFormula < Formula
   # External patches can be declared using resource-style blocks.
   patch do
     url "https://example.com/example_patch.diff"
-    sha1 "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+    sha256 "c6bc3f48ce8e797854c4b865f6a8ff969867bbcaebd648ae6fd825683e59fef2"
   end
 
   # A strip level of -p1 is assumed. It can be overridden using a symbol
   # argument:
   patch :p0 do
     url "https://example.com/example_patch.diff"
-    sha1 "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+    sha256 "c6bc3f48ce8e797854c4b865f6a8ff969867bbcaebd648ae6fd825683e59fef2"
   end
 
   # Patches can be declared in stable, devel, and head blocks. This form is
@@ -228,7 +228,7 @@ class ExampleFormula < Formula
   stable do
     patch do
       url "https://example.com/example_patch.diff"
-      sha1 "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+      sha256 "c6bc3f48ce8e797854c4b865f6a8ff969867bbcaebd648ae6fd825683e59fef2"
     end
   end
 
diff --git a/Library/Homebrew/cmd/audit.rb b/Library/Homebrew/cmd/audit.rb
index eefbf8286..2354cb3c2 100644
--- a/Library/Homebrew/cmd/audit.rb
+++ b/Library/Homebrew/cmd/audit.rb
@@ -846,9 +846,15 @@ class ResourceAuditor
 
     case checksum.hash_type
     when :md5
-      problem "MD5 checksums are deprecated, please use SHA1 or SHA256"
+      problem "MD5 checksums are deprecated, please use SHA256"
       return
-    when :sha1   then len = 40
+    when :sha1
+      if ARGV.include? "--strict"
+        problem "SHA1 checksums are deprecated, please use SHA256"
+        return
+      else
+        len = 40
+      end
     when :sha256 then len = 64
     end
 
diff --git a/Library/Homebrew/cmd/bottle.rb b/Library/Homebrew/cmd/bottle.rb
index dcbc0e2ce..77b75ed82 100644
--- a/Library/Homebrew/cmd/bottle.rb
+++ b/Library/Homebrew/cmd/bottle.rb
@@ -202,7 +202,7 @@ module Homebrew
     bottle.prefix prefix
     bottle.cellar relocatable ? :any : cellar
     bottle.revision bottle_revision
-    bottle.sha1 bottle_path.sha1 => bottle_tag
+    bottle.sha256 bottle_path.sha256 => bottle_tag
 
     output = bottle_output bottle
 
diff --git a/Library/Homebrew/cmd/create.rb b/Library/Homebrew/cmd/create.rb
index 3f169be21..b9bc9cd13 100644
--- a/Library/Homebrew/cmd/create.rb
+++ b/Library/Homebrew/cmd/create.rb
@@ -73,7 +73,7 @@ module Homebrew
 end
 
 class FormulaCreator
-  attr_reader :url, :sha1
+  attr_reader :url, :sha256
   attr_accessor :name, :version, :path, :mode
 
   def url= url
@@ -112,7 +112,7 @@ class FormulaCreator
       r.url(url)
       r.version(version)
       r.owner = self
-      @sha1 = r.fetch.sha1 if r.download_strategy == CurlDownloadStrategy
+      @sha256 = r.fetch.sha256 if r.download_strategy == CurlDownloadStrategy
     end
 
     path.write ERB.new(template, nil, '>').result(binding)
@@ -129,7 +129,7 @@ class FormulaCreator
     <% unless version.nil? or version.detected_from_url? %>
       version "#{version}"
     <% end %>
-      sha1 "#{sha1}"
+      sha256 "#{sha256}"
 
     <% if mode == :cmake %>
       depends_on "cmake" => :build
diff --git a/Library/Homebrew/resource.rb b/Library/Homebrew/resource.rb
index 92c9fa91b..4aa0e9640 100644
--- a/Library/Homebrew/resource.rb
+++ b/Library/Homebrew/resource.rb
@@ -122,7 +122,7 @@ class Resource
   rescue ChecksumMissingError
     opoo "Cannot verify integrity of #{fn.basename}"
     puts "A checksum was not provided for this resource"
-    puts "For your reference the SHA1 is: #{fn.sha1}"
+    puts "For your reference the SHA256 is: #{fn.sha256}"
   end
 
   Checksum::TYPES.each do |type|
diff --git a/Library/Homebrew/test/test_resource.rb b/Library/Homebrew/test/test_resource.rb
index 245bc1789..ac72836e2 100644
--- a/Library/Homebrew/test/test_resource.rb
+++ b/Library/Homebrew/test/test_resource.rb
@@ -113,7 +113,7 @@ class ResourceTests < Homebrew::TestCase
 
     fn.stubs(:file? => true)
     fn.expects(:verify_checksum).raises(ChecksumMissingError)
-    fn.expects(:sha1)
+    fn.expects(:sha256)
 
     shutup { @resource.verify_download_integrity(fn) }
   end
author	Dominyk Tiller	2015-02-24 23:25:57 +0000
committer	Mike McQuaid	2015-03-05 14:45:39 +0000
commit	12861686b847f26f50af7d9a9024a0bc4d25b3bd (patch)
tree	32e62ccfdd7db3302f9408d88f3e13b03392bcf9 /Library
parent	c8835afead119761caa3e38193166387bb5a79f7 (diff)
download	brew-12861686b847f26f50af7d9a9024a0bc4d25b3bd.tar.bz2