Merge pull request #94975 from zshihang/hash

replace sha1 with sha512

cluster/gce/config-default.sh

@@ -308,7 +308,7 @@ NODE_PROBLEM_DETECTOR_TAR_HASH="${NODE_PROBLEM_DETECTOR_TAR_HASH:-}"
 NODE_PROBLEM_DETECTOR_RELEASE_PATH="${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-}"
 NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS="${NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS:-}"
 
-CNI_SHA1="${CNI_SHA1:-}"
+CNI_HASH="${CNI_HASH:-}"
 CNI_TAR_PREFIX="${CNI_TAR_PREFIX:-cni-plugins-linux-amd64-}"
 CNI_STORAGE_URL_BASE="${CNI_STORAGE_URL_BASE:-https://storage.googleapis.com/k8s-artifacts-cni/release}"
 

cluster/gce/config-test.sh

@@ -340,7 +340,7 @@ NODE_PROBLEM_DETECTOR_TAR_HASH=${NODE_PROBLEM_DETECTOR_TAR_HASH:-}
 NODE_PROBLEM_DETECTOR_RELEASE_PATH=${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-}
 NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS=${NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS:-}
 
-CNI_SHA1=${CNI_SHA1:-}
+CNI_HASH=${CNI_HASH:-}
 CNI_TAR_PREFIX=${CNI_TAR_PREFIX:-cni-plugins-linux-amd64-}
 CNI_STORAGE_URL_BASE=${CNI_STORAGE_URL_BASE:-https://storage.googleapis.com/k8s-artifacts-cni/release}
 

cluster/gce/gci/configure.sh

@@ -25,12 +25,12 @@ set -o pipefail
 
 ### Hardcoded constants
 DEFAULT_CNI_VERSION="v0.8.7"
-DEFAULT_CNI_SHA1="96a30cb67e33da95fb1d99f93dd787c2a3c08627"
+DEFAULT_CNI_HASH="8f2cbee3b5f94d59f919054dccfe99a8e3db5473b553d91da8af4763e811138533e05df4dbeab16b3f774852b4184a7994968f5e036a3f531ad1ac4620d10ede"
 DEFAULT_NPD_VERSION="v0.8.0"
-DEFAULT_NPD_SHA1="9406c975b1b035995a137029a004622b905b4e7f"
+DEFAULT_NPD_HASH="b15d6919321e832b5fc7bc150c2e141e947305e82b34b514adbda9b9bc41088beadbf833f5bbbf44b9a8181c3fd8ed41e1629458d7544ccaecb374c22bde1517"
 DEFAULT_CRICTL_VERSION="v1.19.0"
-DEFAULT_CRICTL_SHA1="bc9d57377402c2cc36ca5e600d55de96b15953de"
+DEFAULT_CRICTL_HASH="fbbb34a1667bcf94df911a92ab6b70a9d2b34da967244a222f288bf0135c587cbfdcc89deedc5afd1823e109921df9caaa4e9ff9cc39e55a9b8cdea8eb6ebe72"
-DEFAULT_MOUNTER_TAR_SHA="8003b798cf33c7f91320cd6ee5cec4fa22244571"
+DEFAULT_MOUNTER_TAR_SHA="7956fd42523de6b3107ddc3ce0e75233d2fcb78436ff07a1389b6eaac91fb2b1b72a08f7a219eaf96ba1ca4da8d45271002e0d60e0644e796c665f99bb356516"
 ###
 
 # Use --retry-connrefused opt only if it's supported by curl.
@@ -126,9 +126,9 @@ function validate-hash {
   local -r file="$1"
   local -r expected="$2"
 
-  actual=$(sha1sum ${file} | awk '{ print $1 }') || true
+  actual=$(sha512sum ${file} | awk '{ print $1 }') || true
   if [[ "${actual}" != "${expected}" ]]; then
-    echo "== ${file} corrupted, sha1 ${actual} doesn't match expected ${expected} =="
+    echo "== ${file} corrupted, sha512 ${actual} doesn't match expected ${expected} =="
     return 1
   fi
 }
@@ -146,7 +146,7 @@ function valid-storage-scope {
 
 # Retry a download until we get it. Takes a hash and a set of URLs.
 #
-# $1 is the sha1 of the URL. Can be "" if the sha1 is unknown.
+# $1 is the sha512 of the URL. Can be "" if the sha512 is unknown.
 # $2+ are the URLs to download.
 function download-or-bust {
   local -r hash="$1"
@@ -168,7 +168,7 @@ function download-or-bust {
         echo "== Hash validation of ${url} failed. Retrying. =="
       else
         if [[ -n "${hash}" ]]; then
-          echo "== Downloaded ${url} (SHA1 = ${hash}) =="
+          echo "== Downloaded ${url} (SHA512 = ${hash}) =="
         else
           echo "== Downloaded ${url} =="
         fi
@@ -220,21 +220,21 @@ function install-gci-mounter-tools {
 function install-node-problem-detector {
   if [[ -n "${NODE_PROBLEM_DETECTOR_VERSION:-}" ]]; then
       local -r npd_version="${NODE_PROBLEM_DETECTOR_VERSION}"
-      local -r npd_sha1="${NODE_PROBLEM_DETECTOR_TAR_HASH}"
+      local -r npd_hash="${NODE_PROBLEM_DETECTOR_TAR_HASH}"
   else
       local -r npd_version="${DEFAULT_NPD_VERSION}"
-      local -r npd_sha1="${DEFAULT_NPD_SHA1}"
+      local -r npd_hash="${DEFAULT_NPD_HASH}"
   fi
   local -r npd_tar="node-problem-detector-${npd_version}.tar.gz"
 
-  if is-preloaded "${npd_tar}" "${npd_sha1}"; then
+  if is-preloaded "${npd_tar}" "${npd_hash}"; then
     echo "${npd_tar} is preloaded."
     return
   fi
 
   echo "Downloading ${npd_tar}."
   local -r npd_release_path="${NODE_PROBLEM_DETECTOR_RELEASE_PATH:-https://storage.googleapis.com/kubernetes-release}"
-  download-or-bust "${npd_sha1}" "${npd_release_path}/node-problem-detector/${npd_tar}"
+  download-or-bust "${npd_hash}" "${npd_release_path}/node-problem-detector/${npd_tar}"
   local -r npd_dir="${KUBE_HOME}/node-problem-detector"
   mkdir -p "${npd_dir}"
   tar xzf "${KUBE_HOME}/${npd_tar}" -C "${npd_dir}" --overwrite
@@ -247,22 +247,22 @@ function install-node-problem-detector {
 function install-cni-binaries {
   if [[ -n "${CNI_VERSION:-}" ]]; then
       local -r cni_version="${CNI_VERSION}"
-      local -r cni_sha1="${CNI_SHA1}"
+      local -r cni_hash="${CNI_HASH}"
   else
       local -r cni_version="${DEFAULT_CNI_VERSION}"
-      local -r cni_sha1="${DEFAULT_CNI_SHA1}"
+      local -r cni_hash="${DEFAULT_CNI_HASH}"
   fi
 
   local -r cni_tar="${CNI_TAR_PREFIX}${cni_version}.tgz"
   local -r cni_url="${CNI_STORAGE_URL_BASE}/${cni_version}/${cni_tar}"
 
-  if is-preloaded "${cni_tar}" "${cni_sha1}"; then
+  if is-preloaded "${cni_tar}" "${cni_hash}"; then
     echo "${cni_tar} is preloaded."
     return
   fi
 
   echo "Downloading cni binaries"
-  download-or-bust "${cni_sha1}" "${cni_url}"
+  download-or-bust "${cni_hash}" "${cni_url}"
   local -r cni_dir="${KUBE_HOME}/cni"
   mkdir -p "${cni_dir}/bin"
   tar xzf "${KUBE_HOME}/${cni_tar}" -C "${cni_dir}/bin" --overwrite
@@ -275,10 +275,10 @@ function install-cni-binaries {
 function install-crictl {
   if [[ -n "${CRICTL_VERSION:-}" ]]; then
     local -r crictl_version="${CRICTL_VERSION}"
-    local -r crictl_sha1="${CRICTL_TAR_HASH}"
+    local -r crictl_hash="${CRICTL_TAR_HASH}"
   else
     local -r crictl_version="${DEFAULT_CRICTL_VERSION}"
-    local -r crictl_sha1="${DEFAULT_CRICTL_SHA1}"
+    local -r crictl_hash="${DEFAULT_CRICTL_HASH}"
   fi
   local -r crictl="crictl-${crictl_version}-linux-amd64.tar.gz"
 
@@ -287,14 +287,14 @@ function install-crictl {
 runtime-endpoint: ${CONTAINER_RUNTIME_ENDPOINT:-unix:///var/run/dockershim.sock}
 EOF
 
-  if is-preloaded "${crictl}" "${crictl_sha1}"; then
+  if is-preloaded "${crictl}" "${crictl_hash}"; then
     echo "crictl is preloaded"
     return
   fi
 
   echo "Downloading crictl"
   local -r crictl_path="https://storage.googleapis.com/k8s-artifacts-cri-tools/release/${crictl_version}"
-  download-or-bust "${crictl_sha1}" "${crictl_path}/${crictl}"
+  download-or-bust "${crictl_hash}" "${crictl_path}/${crictl}"
   tar xf "${crictl}"
   mv crictl "${KUBE_BIN}/crictl"
 }
@@ -304,15 +304,15 @@ function install-exec-auth-plugin {
       return
   fi
   local -r plugin_url="${EXEC_AUTH_PLUGIN_URL}"
-  local -r plugin_sha1="${EXEC_AUTH_PLUGIN_SHA1}"
+  local -r plugin_hash="${EXEC_AUTH_PLUGIN_HASH}"
 
-  if is-preloaded "gke-exec-auth-plugin" "${plugin_sha1}"; then
+  if is-preloaded "gke-exec-auth-plugin" "${plugin_hash}"; then
     echo "gke-exec-auth-plugin is preloaded"
     return
   fi
 
   echo "Downloading gke-exec-auth-plugin binary"
-  download-or-bust "${plugin_sha1}" "${plugin_url}"
+  download-or-bust "${plugin_hash}" "${plugin_url}"
   mv "${KUBE_HOME}/gke-exec-auth-plugin" "${KUBE_BIN}/gke-exec-auth-plugin"
   chmod a+x "${KUBE_BIN}/gke-exec-auth-plugin"
 
@@ -334,9 +334,9 @@ function install-kube-manifests {
   if [ -n "${KUBE_MANIFESTS_TAR_HASH:-}" ]; then
     local -r manifests_tar_hash="${KUBE_MANIFESTS_TAR_HASH}"
   else
-    echo "Downloading k8s manifests sha1 (not found in env)"
+    echo "Downloading k8s manifests hash (not found in env)"
-    download-or-bust "" "${manifests_tar_urls[@]/.tar.gz/.tar.gz.sha1}"
+    download-or-bust "" "${manifests_tar_urls[@]/.tar.gz/.tar.gz.sha512}"
-    local -r manifests_tar_hash=$(cat "${manifests_tar}.sha1")
+    local -r manifests_tar_hash=$(cat "${manifests_tar}.sha512")
   fi
 
   if is-preloaded "${manifests_tar}" "${manifests_tar_hash}"; then
@@ -363,7 +363,7 @@ function install-kube-manifests {
   cp "${dst_dir}/kubernetes/gci-trusty/health-monitor.sh" "${KUBE_BIN}/health-monitor.sh"
 
   rm -f "${KUBE_HOME}/${manifests_tar}"
-  rm -f "${KUBE_HOME}/${manifests_tar}.sha1"
+  rm -f "${KUBE_HOME}/${manifests_tar}.sha512"
 }
 
 # A helper function for loading a docker image. It keeps trying up to 5 times.
@@ -547,9 +547,9 @@ function install-kube-binary-config {
   if [[ -n "${SERVER_BINARY_TAR_HASH:-}" ]]; then
     local -r server_binary_tar_hash="${SERVER_BINARY_TAR_HASH}"
   else
-    echo "Downloading binary release sha1 (not found in env)"
+    echo "Downloading binary release sha512 (not found in env)"
-    download-or-bust "" "${server_binary_tar_urls[@]/.tar.gz/.tar.gz.sha1}"
+    download-or-bust "" "${server_binary_tar_urls[@]/.tar.gz/.tar.gz.sha512}"
-    local -r server_binary_tar_hash=$(cat "${server_binary_tar}.sha1")
+    local -r server_binary_tar_hash=$(cat "${server_binary_tar}.sha512")
   fi
 
   if is-preloaded "${server_binary_tar}" "${server_binary_tar_hash}"; then
@@ -613,7 +613,7 @@ function install-kube-binary-config {
   # Clean up.
   rm -rf "${KUBE_HOME}/kubernetes"
   rm -f "${KUBE_HOME}/${server_binary_tar}"
-  rm -f "${KUBE_HOME}/${server_binary_tar}.sha1"
+  rm -f "${KUBE_HOME}/${server_binary_tar}.sha512"
 }
 
 ######### Main Function ##########

cluster/gce/gci/mounter/stage-upload.sh

@@ -63,6 +63,6 @@ echo "Uploading gci mounter ACI in ${ACI_DIR} to ${MOUNTER_GCS_DIR}"
 gsutil cp "${ACI_DIR}/${MOUNTER_ACI_IMAGE}" "${MOUNTER_GCS_DIR}"
 
 echo "Upload completed"
-echo "Updated gci-mounter ACI version and SHA1 in cluster/gce/gci/configure.sh"
+echo "Updated gci-mounter ACI version and SH512 in cluster/gce/gci/configure.sh"
-ACI_HASH=$(sha1sum "${ACI_DIR}/${MOUNTER_ACI_IMAGE}")
+ACI_HASH=$(sha512sum "${ACI_DIR}/${MOUNTER_ACI_IMAGE}")
 echo "${MOUNTER_ACI_IMAGE} hash: ${ACI_HASH}"

cluster/gce/util.sh

@@ -239,10 +239,10 @@ function copy-to-staging() {
     fi
   fi
 
-  echo "${hash}" > "${tar}.sha1"
+  echo "${hash}" > "${tar}.sha512"
-  gsutil -m -q -h "Cache-Control:private, max-age=0" cp "${tar}" "${tar}.sha1" "${staging_path}"
+  gsutil -m -q -h "Cache-Control:private, max-age=0" cp "${tar}" "${tar}.sha512" "${staging_path}"
-  gsutil -m acl ch -g all:R "${gs_url}" "${gs_url}.sha1" >/dev/null 2>&1 || true
+  gsutil -m acl ch -g all:R "${gs_url}" "${gs_url}.sha512" >/dev/null 2>&1 || true
-  echo "+++ ${basename_tar} uploaded (sha1 = ${hash})"
+  echo "+++ ${basename_tar} uploaded (sha512 = ${hash})"
 }
 
 
@@ -314,13 +314,13 @@ function upload-tars() {
     DOCKER_REGISTRY_MIRROR_URL="https://mirror.gcr.io"
   fi
 
-  SERVER_BINARY_TAR_HASH=$(sha1sum-file "${SERVER_BINARY_TAR}")
+  SERVER_BINARY_TAR_HASH=$(sha512sum-file "${SERVER_BINARY_TAR}")
 
   if [[ -n "${NODE_BINARY_TAR:-}" ]]; then
-    NODE_BINARY_TAR_HASH=$(sha1sum-file "${NODE_BINARY_TAR}")
+    NODE_BINARY_TAR_HASH=$(sha512sum-file "${NODE_BINARY_TAR}")
   fi
   if [[ -n "${KUBE_MANIFESTS_TAR:-}" ]]; then
-    KUBE_MANIFESTS_TAR_HASH=$(sha1sum-file "${KUBE_MANIFESTS_TAR}")
+    KUBE_MANIFESTS_TAR_HASH=$(sha512sum-file "${KUBE_MANIFESTS_TAR}")
   fi
 
   local server_binary_tar_urls=()
@@ -506,11 +506,11 @@ function load-or-gen-kube-bearertoken() {
 #   SERVER_BINARY_TAR_URL
 #   SERVER_BINARY_TAR_HASH
 function tars_from_version() {
-  local sha1sum=""
+  local sha512sum=""
-  if which sha1sum >/dev/null 2>&1; then
+  if which sha512sum >/dev/null 2>&1; then
-    sha1sum="sha1sum"
+    sha512sum="sha512sum"
   else
-    sha1sum="shasum -a1"
+    sha512sum="shasum -a512"
   fi
 
   if [[ -z "${KUBE_VERSION-}" ]]; then
@@ -520,18 +520,18 @@ function tars_from_version() {
     SERVER_BINARY_TAR_URL="https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
     # TODO: Clean this up.
     KUBE_MANIFESTS_TAR_URL="${SERVER_BINARY_TAR_URL/server-linux-amd64/manifests}"
-    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha1sum} | awk '{print $1}')
+    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha512sum} | awk '{print $1}')
   elif [[ ${KUBE_VERSION} =~ ${KUBE_CI_VERSION_REGEX} ]]; then
     SERVER_BINARY_TAR_URL="https://storage.googleapis.com/kubernetes-release-dev/ci/${KUBE_VERSION}/kubernetes-server-linux-amd64.tar.gz"
     # TODO: Clean this up.
     KUBE_MANIFESTS_TAR_URL="${SERVER_BINARY_TAR_URL/server-linux-amd64/manifests}"
-    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha1sum} | awk '{print $1}')
+    KUBE_MANIFESTS_TAR_HASH=$(curl ${KUBE_MANIFESTS_TAR_URL} --silent --show-error | ${sha512sum} | awk '{print $1}')
   else
     echo "Version doesn't match regexp" >&2
     exit 1
   fi
-  if ! SERVER_BINARY_TAR_HASH=$(curl -Ss --fail "${SERVER_BINARY_TAR_URL}.sha1"); then
+  if ! SERVER_BINARY_TAR_HASH=$(curl -Ss --fail "${SERVER_BINARY_TAR_URL}.sha512"); then
-    echo "Failure trying to curl release .sha1"
+    echo "Failure trying to curl release .sha512"
   fi
 
   if ! curl -Ss --head "${SERVER_BINARY_TAR_URL}" >&/dev/null; then
@@ -1144,7 +1144,7 @@ NODE_PROBLEM_DETECTOR_CUSTOM_FLAGS: $(yaml-quote "${NODE_PROBLEM_DETECTOR_CUSTOM
 CNI_STORAGE_URL_BASE: $(yaml-quote "${CNI_STORAGE_URL_BASE:-}")
 CNI_TAR_PREFIX: $(yaml-quote "${CNI_TAR_PREFIX:-}")
 CNI_VERSION: $(yaml-quote "${CNI_VERSION:-}")
-CNI_SHA1: $(yaml-quote "${CNI_SHA1:-}")
+CNI_HASH: $(yaml-quote "${CNI_HASH:-}")
 ENABLE_NODE_LOGGING: $(yaml-quote "${ENABLE_NODE_LOGGING:-false}")
 LOGGING_DESTINATION: $(yaml-quote "${LOGGING_DESTINATION:-}")
 ELASTICSEARCH_LOGGING_REPLICAS: $(yaml-quote "${ELASTICSEARCH_LOGGING_REPLICAS:-}")
@@ -1552,11 +1552,11 @@ WINDOWS_INFRA_CONTAINER: $(yaml-quote "${WINDOWS_INFRA_CONTAINER}")
 EOF
 }
 
-function sha1sum-file() {
+function sha512sum-file() {
-  if which sha1sum >/dev/null 2>&1; then
+  if which sha512sum >/dev/null 2>&1; then
-    sha1sum "$1" | awk '{ print $1 }'
+    sha512sum "$1" | awk '{ print $1 }'
   else
-    shasum -a1 "$1" | awk '{ print $1 }'
+    shasum -a512 "$1" | awk '{ print $1 }'
   fi
 }
 

cluster/gce/windows/common.psm1

@@ -128,12 +128,12 @@ function Validate-SHA {
 # It will loop through the URLs list forever until it has a success. If
 # successful, it will write the file to OutFile. You can optionally provide a
 # Hash argument with an optional Algorithm, in which case it will attempt to
-# validate the downloaded file against the hash. SHA1 will be used if Algorithm
+# validate the downloaded file against the hash. SHA512 will be used if Algorithm
 # is not provided.
 function MustDownload-File {
   param (
     [parameter(Mandatory=$false)] [string]$Hash,
-    [parameter(Mandatory=$false)] [string]$Algorithm = 'SHA1',
+    [parameter(Mandatory=$false)] [string]$Algorithm = 'SHA512',
     [parameter(Mandatory=$true)] [string]$OutFile,
     [parameter(Mandatory=$true)] [System.Collections.Generic.List[String]]$URLs,
     [parameter(Mandatory=$false)] [System.Collections.IDictionary]$Headers = @{}

cluster/gce/windows/k8s-node-setup.psm1

@@ -339,7 +339,7 @@ function Download-HelperScripts {
 #
 # Required ${kube_env} keys:
 #   EXEC_AUTH_PLUGIN_LICENSE_URL
-#   EXEC_AUTH_PLUGIN_SHA1
+#   EXEC_AUTH_PLUGIN_HASH
 #   EXEC_AUTH_PLUGIN_URL
 function DownloadAndInstall-AuthPlugin {
   if (-not (Test-NodeUsesAuthPlugin ${kube_env})) {
@@ -351,14 +351,14 @@ function DownloadAndInstall-AuthPlugin {
   }
 
   if (-not ($kube_env.ContainsKey('EXEC_AUTH_PLUGIN_LICENSE_URL') -and
-            $kube_env.ContainsKey('EXEC_AUTH_PLUGIN_SHA1') -and
+            $kube_env.ContainsKey('EXEC_AUTH_PLUGIN_HASH') -and
             $kube_env.ContainsKey('EXEC_AUTH_PLUGIN_URL'))) {
     Log-Output -Fatal ("Missing one or more kube-env keys needed for " +
                        "downloading auth plugin: $(Out-String $kube_env)")
   }
   MustDownload-File `
       -URLs ${kube_env}['EXEC_AUTH_PLUGIN_URL'] `
-      -Hash ${kube_env}['EXEC_AUTH_PLUGIN_SHA1'] `
+      -Hash ${kube_env}['EXEC_AUTH_PLUGIN_HASH'] `
       -OutFile "${env:NODE_DIR}\gke-exec-auth-plugin.exe"
   MustDownload-File `
       -URLs ${kube_env}['EXEC_AUTH_PLUGIN_LICENSE_URL'] `
@@ -962,13 +962,13 @@ function Install_Cni_Binaries {
   $release_url = "${env:WINDOWS_CNI_STORAGE_PATH}/${env:WINDOWS_CNI_VERSION}/"
   $tgz_url = ($release_url +
               "cni-plugins-windows-amd64-${env:WINDOWS_CNI_VERSION}.tgz")
-  $sha_url = ($tgz_url + ".sha1")
+  $sha_url = ($tgz_url + ".sha512")
-  MustDownload-File -URLs $sha_url -OutFile $tmp_dir\cni-plugins.sha1
+  MustDownload-File -URLs $sha_url -OutFile $tmp_dir\cni-plugins.sha512
-  $sha1_val = ($(Get-Content $tmp_dir\cni-plugins.sha1) -split ' ',2)[0]
+  $sha512_val = ($(Get-Content $tmp_dir\cni-plugins.sha512) -split ' ',2)[0]
   MustDownload-File `
       -URLs $tgz_url `
       -OutFile $tmp_dir\cni-plugins.tgz `
-      -Hash $sha1_val
+      -Hash $sha512_val
 
   tar xzvf $tmp_dir\cni-plugins.tgz -C $tmp_dir
   Move-Item -Force $tmp_dir\host-local.exe ${env:CNI_DIR}\

cluster/get-kube-binaries.sh

@@ -138,11 +138,11 @@ function md5sum_file() {
   fi
 }
 
-function sha1sum_file() {
+function sha512sum_file() {
-  if which sha1sum >/dev/null 2>&1; then
+  if which sha512sum >/dev/null 2>&1; then
-    sha1sum "$1" | awk '{ print $1 }'
+    sha512sum "$1" | awk '{ print $1 }'
   else
-    shasum -a1 "$1" | awk '{ print $1 }'
+    shasum -a512 "$1" | awk '{ print $1 }'
   fi
 }
 
@@ -171,11 +171,11 @@ function download_tarball() {
     exit 4
   fi
   echo
-  local md5sum sha1sum
+  local md5sum sha512sum
   md5sum=$(md5sum_file "${download_path}/${file}")
   echo "md5sum(${file})=${md5sum}"
-  sha1sum=$(sha1sum_file "${download_path}/${file}")
+  sha512sum=$(sha512sum_file "${download_path}/${file}")
-  echo "sha1sum(${file})=${sha1sum}"
+  echo "sha512sum(${file})=${sha512sum}"
   echo
   # TODO: add actual verification
   if [[ "${trace_on}" == "on" ]]; then