Apache has updated it's policy on the release signatures, as per it's website here and a recent email. Basically, all future releases should be providing a sha512 checksum instead of an md5 one.
There are two tasks:
- Update the release script to use sha512 instead of md5
- Update the wiki (requires committer/pmc permissions?)
While we're updating the wiki, we should add details on:
- Making sure the gpg key used for signing releases is 4096 bit RSA
- Publishing your gpg public key to a key server (https://www.apache.org/dev/release-signing#keyserver)