External document refs should have a SHA1 instead of a SHA256

[goneall]

It is admittedly a bit hard to follow in the spec, but my reading is the external document references must use SHA1.

This is based on section 2.6 subsection 2.6.4:

[Checksum] is a checksum of the external document following the checksum

format defined in section 4.4.

In section 4.4 subsection 4.4.3:

4.4.3 Cardinality: Mandatory, one SHA1, others may be optionally provided.

[goneall]

There is also a missing space between the algorithm and algorithm value. Again, this is a bit hard to read in the spec, but the Java tools use the space as a delimiter between the tag/value fields. If we decide the space isn't needed, we should raise an issue for the Java tools.

[swinslow]

Thanks for this @goneall. From our separate conversation on this, understood about changing this from SHA256 to SHA1.

On the spacing comment, apologies for nitpicking :) but I'm not sure I gathered this from just reading the spec. Section 4.4.5 describes the separator as being ":", not ": ". I guess I had assumed that the separator was the colon, and any extraneous whitespace would be optional and ignorable (I may have made similar assumptions throughout the Golang tools tag-value parser, though the tag-value writer appears to add a single space as you're describing).

I do see though that the examples show one space between the colon and the actual hash value. Is it assumed that it should be a single whitespace? If so, I'll update it here and we may want to update the text in the spec to make that explicit as well.

[goneall]

@swinslow Good point on the spec - I agree that there should not be a space required. I'll open an issue for the Java tools that does the verification and creates the examples in the spec repo.