Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Hi everyone,
recent ASF parent pom will create hashes for source-release-zip files using the checksum-maven-plugin.
However, the SHIRO project decided to hash ALL artifacts:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<configuration>
<excludes>
<!-- default config -->
<exclude>**/*.md5</exclude>
<exclude>**/*.sha1</exclude>
<exclude>**/*.sha256</exclude>
<exclude>**/*.sha512</exclude>
<exclude> **/*.asc</exclude>
<!-- additional hashes -->
<exclude>**/*.sha3512</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<groupId>net.nicoulaj.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
<version>1.11</version>
<executions>
<execution>
<id>source-release-checksum</id>
<phase>none</phase>
</execution>
<execution>
<id>main-artifact-checksum</id>
<phase>verify</phase>
<goals>
<goal>artifacts</goal>
</goals>
</execution>
</executions>
<configuration>
<algorithms>
<algorithm>SHA-256</algorithm>
<algorithm>SHA-512</algorithm>
<algorithm>SHA3-512</algorithm>
</algorithms>
<csvSummary>false</csvSummary>
<!--
attach checksums as well to upload to Maven Staging Repo,
as this eases uploading from stage to dist and doesn't do harm in Maven Central
-->
<attachChecksums>true</attachChecksums>
</configuration>
</plugin>
Now as you can see, gpg plugin had to be extended, but we also create *.sha3512 files. Those and all other hashes are being hashed by the deploy plugin, though:
$ ls -1F ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/*sources* ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.asc ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.md5 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha1 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256.md5 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha256.sha1 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512.md5 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha3512.sha1 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512.md5 ./org/apache/shiro/shiro-lang/1.9.0-SNAPSHOT/shiro-lang-1.9.0-20220303.204242-1-sources.jar.sha512.sha1
Notice the *.sha512.md1 and *.sha512.sha1 files.
Currently there is no exclusion possible.
Therefore:
- Let's add an exclusion parameter for hashing, similar to gpg's one.
- set a sane default (to be discussed).
Attachments
Issue Links
- depends upon
-
-
- Closed
-
- is fixed by
-
MRESOLVER-56 Support SHA-256 and SHA-512 as checksums
-
- Closed
-
- links to