From b399aa3188881b940ebed73022092f417d0a4d53 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Date: Fri, 19 Dec 2025 13:17:45 +0000
Subject: [PATCH] evergreen: y2030 - stop producing SHA1 and MD5 files, and
 only provide SHA256 files

To comply with complete withdrawal of SHA1 usage by both IETF RFC
(non-fips) and NIST CMPV (fips) by 2030, stop producing SHA1 and MD5
checksum files in favor of only providing SHA256 checksum files.

As we enter 2026, software produced today might be in active use in
2030 hence it is best to be forward looking with this.

If anything breaks, this can be reverted with a migration plan figured
out to be executed by 2030.
---
 .../tasks/compile_tasks_nightly.yml           | 20 -------------------
 evergreen/run_upload_lock_push.sh             | 10 ----------
 2 files changed, 30 deletions(-)

diff --git a/etc/evergreen_yml_components/tasks/compile_tasks_nightly.yml b/etc/evergreen_yml_components/tasks/compile_tasks_nightly.yml
index 7b30408f820ac..3e0a1bd7b9e5e 100644
--- a/etc/evergreen_yml_components/tasks/compile_tasks_nightly.yml
+++ b/etc/evergreen_yml_components/tasks/compile_tasks_nightly.yml
@@ -696,16 +696,6 @@ tasks:
             DEBUG_SYMBOLS_TARBALL_SIGNATURE_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.sig
             MSI_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.msi
             MSI_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi
-            SERVER_TARBALL_SHA1_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha1
-            SERVER_TARBALL_SHA1_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha1
-            CRYPTD_TARBALL_SHA1_PATH: src/mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha1
-            CRYPTD_TARBALL_SHA1_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha1
-            SOURCE_TARBALL_SHA1_PATH: src/mongodb-src-${src_suffix}.${ext|tar.gz}.sha1
-            SOURCE_TARBALL_SHA1_KEY: ${version_id}/${build_id}/push/src/mongodb-src-${src_suffix}.${ext|tar.gz}.sha1
-            DEBUG_SYMBOLS_TARBALL_SHA1_PATH: src/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.sha1
-            DEBUG_SYMBOLS_TARBALL_SHA1_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.sha1
-            MSI_SHA1_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.msi.sha1
-            MSI_SHA1_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi.sha1
             SERVER_TARBALL_SHA256_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha256
             SERVER_TARBALL_SHA256_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha256
             CRYPTD_TARBALL_SHA256_PATH: src/mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext|tgz}.sha256
@@ -716,16 +706,6 @@ tasks:
             DEBUG_SYMBOLS_TARBALL_SHA256_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.sha256
             MSI_SHA256_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.msi.sha256
             MSI_SHA256_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi.sha256
-            SERVER_TARBALL_MD5_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.${ext|tgz}.md5
-            SERVER_TARBALL_MD5_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}.${ext|tgz}.md5
-            CRYPTD_TARBALL_MD5_PATH: src/mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext|tgz}.md5
-            CRYPTD_TARBALL_MD5_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-cryptd-${push_name}-${push_arch}-${suffix}.${ext|tgz}.md5
-            SOURCE_TARBALL_MD5_PATH: src/mongodb-src-${src_suffix}.${ext|tar.gz}.md5
-            SOURCE_TARBALL_MD5_KEY: ${version_id}/${build_id}/push/src/mongodb-src-${src_suffix}.${ext|tar.gz}.md5
-            DEBUG_SYMBOLS_TARBALL_MD5_PATH: src/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.md5
-            DEBUG_SYMBOLS_TARBALL_MD5_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-debugsymbols-${suffix}.${ext|tgz}.md5
-            MSI_MD5_PATH: src/mongodb-${push_name}-${push_arch}-${suffix}.msi.md5
-            MSI_MD5_KEY: ${version_id}/${build_id}/push/${push_path}/mongodb-${push_name}-${push_arch}-${suffix}-signed.msi.md5
             AWS_ACCESS_KEY_ID: ${upload_lock_access_key_id}
             AWS_SECRET_ACCESS_KEY: ${upload_lock_secret_access_key}
             UPLOAD_LOCK_IMAGE: ${upload_lock_image_ecr}
diff --git a/evergreen/run_upload_lock_push.sh b/evergreen/run_upload_lock_push.sh
index ee5f9875670ba..9e99926f2306c 100755
--- a/evergreen/run_upload_lock_push.sh
+++ b/evergreen/run_upload_lock_push.sh
@@ -11,21 +11,15 @@ declare -A ARTIFACTS=(
     [${SOURCE_TARBALL_PATH}]=${SOURCE_TARBALL_KEY}
     [${SERVER_TARBALL_SIGNATURE_PATH}]=${SERVER_TARBALL_SIGNATURE_KEY}
     [${SOURCE_TARBALL_SIGNATURE_PATH}]=${SOURCE_TARBALL_SIGNATURE_KEY}
-    [${SERVER_TARBALL_SHA1_PATH}]=${SERVER_TARBALL_SHA1_KEY}
-    [${SOURCE_TARBALL_SHA1_PATH}]=${SOURCE_TARBALL_SHA1_KEY}
     [${SERVER_TARBALL_SHA256_PATH}]=${SERVER_TARBALL_SHA256_KEY}
     [${SOURCE_TARBALL_SHA256_PATH}]=${SOURCE_TARBALL_SHA256_KEY}
-    [${SERVER_TARBALL_MD5_PATH}]=${SERVER_TARBALL_MD5_KEY}
-    [${SOURCE_TARBALL_MD5_PATH}]=${SOURCE_TARBALL_MD5_KEY}
 )
 
 # mongocryptd is only built for enterprise variants
 if [ -f "${CRYPTD_TARBALL_PATH}" ]; then
     ARTIFACTS[${CRYPTD_TARBALL_PATH}]=${CRYPTD_TARBALL_KEY}
     ARTIFACTS[${CRYPTD_TARBALL_SIGNATURE_PATH}]=${CRYPTD_TARBALL_SIGNATURE_KEY}
-    ARTIFACTS[${CRYPTD_TARBALL_SHA1_PATH}]=${CRYPTD_TARBALL_SHA1_KEY}
     ARTIFACTS[${CRYPTD_TARBALL_SHA256_PATH}]=${CRYPTD_TARBALL_SHA256_KEY}
-    ARTIFACTS[${CRYPTD_TARBALL_MD5_PATH}]=${CRYPTD_TARBALL_MD5_KEY}
 fi
 
 # mongohouse only built sometimes
@@ -39,18 +33,14 @@ fi
 if [ -f "${DEBUG_SYMBOLS_TARBALL_PATH}" ]; then
     ARTIFACTS[${DEBUG_SYMBOLS_TARBALL_PATH}]=${DEBUG_SYMBOLS_TARBALL_KEY}
     ARTIFACTS[${DEBUG_SYMBOLS_TARBALL_SIGNATURE_PATH}]=${DEBUG_SYMBOLS_TARBALL_SIGNATURE_KEY}
-    ARTIFACTS[${DEBUG_SYMBOLS_TARBALL_SHA1_PATH}]=${DEBUG_SYMBOLS_TARBALL_SHA1_KEY}
     ARTIFACTS[${DEBUG_SYMBOLS_TARBALL_SHA256_PATH}]=${DEBUG_SYMBOLS_TARBALL_SHA256_KEY}
-    ARTIFACTS[${DEBUG_SYMBOLS_TARBALL_MD5_PATH}]=${DEBUG_SYMBOLS_TARBALL_MD5_KEY}
 fi
 
 # MSIs are only built on windows
 # note there is no detached signature file
 if [ -f "${MSI_PATH}" ]; then
     ARTIFACTS[${MSI_PATH}]=${MSI_KEY}
-    ARTIFACTS[${MSI_SHA1_PATH}]=${MSI_SHA1_KEY}
     ARTIFACTS[${MSI_SHA256_PATH}]=${MSI_SHA256_KEY}
-    ARTIFACTS[${MSI_MD5_PATH}]=${MSI_MD5_KEY}
 fi
 
 set -o verbose