release.hs: use SHA256 digests for GPG signatures

borsboom · borsboom · commit 39eb4b6b1db2 · 2016-04-06T13:57:28.000-07:00
(#1934)
diff --git a/etc/scripts/release.hs b/etc/scripts/release.hs
@@ -221,7 +221,7 @@ rules global@Global{..} args = do
     releaseDir </> binaryPkgSignatureFileName %> \out -> do
         need [out -<.> ""]
         _ <- liftIO $ tryJust (guard . isDoesNotExistError) (removeFile out)
-        cmd "gpg --detach-sig --armor"
+        cmd "gpg --detach-sig --digest-algo=sha512 --armor"
             [ "-u", gGpgKey
             , dropExtension out ]
 
@@ -250,13 +250,15 @@ rules global@Global{..} args = do
            need [pkgFile]
            () <- cmd "deb-s3 upload --preserve-versions --bucket download.fpcomplete.com"
                [ "--sign=" ++ gGpgKey
+               , "--gpg-options=--digest-algo=sha512"
                , "--prefix=" ++ dvDistro
                , "--codename=" ++ dvCodeName
                , pkgFile ]
            -- Also upload to the old, incorrect location for people who still have their systems
            -- configured with it.
            () <- cmd "deb-s3 upload --preserve-versions --bucket download.fpcomplete.com"
                [ "--sign=" ++ gGpgKey
+               , "--gpg-options=--digest-algo=sha512"
                , "--prefix=" ++ dvDistro ++ "/" ++ dvCodeName
                , pkgFile ]
            copyFileChanged pkgFile out
