Currently, it seems that the packages are signed using PGP (if using -Papache-release), MD5 and SHA1.
As requested, we don't release the binaries we generate with MD5, but that is a manual signature, this has nothing to do with the way maven release:perform does sign the packages. And, yes, it would be very valuable to have a way to spacify that we don't want md5 or sha1 signatures, but only pgp, SHA-256 or SHA-512. I don't know if this is an option in maven... Bertrand Delacretaz raised the issue 2 weeks ago, IAFAIR. On Mon, Apr 30, 2018 at 10:57 PM, Greg Stein <gst...@gmail.com> wrote: > There has been discussion of updating the required hashes. Maybe that got > implemented on Nexus? CC'ing peeps... > > On Mon, Apr 30, 2018, 13:17 Emmanuel Lécharny <elecha...@symas.com> wrote: > >> Hi guys, >> >> yesterday, I tried to cut a release of Apache Directory LDAP API 1.0.1. >> It went well, but never hit Nexus. >> >> Today, I tried to do a mvn deploy on the created tag, and now, it's >> visible in Nexus (orgapachedirectory-1151) but I can't close it because >> it complains about some missing .asc signatures : >> >> Missing Signature: >> '/org/apache/directory/api/api-asn1-api/1.0.1/api-asn1-api-1.0.1.jar.asc' >> does not exist for 'api-asn1-api-1.0.1.jar'. >> ... >> >> >> The .md5 and .sha1 signatures are present though. >> >> >> The release is a pretty straightforward process that has been >> established for almost a decade, and that worked just fine for tens of >> releases... It's documented on >> http://directory.staging.apache.org/api/developer-guide.html (Release >> Process), but basically, it's all about doing : >> >> mvn release:prepare -DdryRun=true >> mvn deploy >> mvn release:clean >> mvn release:prepare >> mvn release:perform >> >> >> What could have gone wrong ? >> >> Thanks ! >> > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
