Since SHA1/MD5 are deprecated and no longer supported by the policy[1], it seems like they should be removed from Nexus as a requirement, replaced instead by a requirement for SHA256|512
I'm not sure exactly how to go about doing this, but please open an Infra jira ticket and we can look into it further. -Chris ASF Infra [1] https://infra.apache.org/release-distribution > On Nov 15, 2021, at 2:55 PM, Tilmann <tilmann_...@gmx.de> wrote: > > Dear all, > > I hope this is the correct list to ask this, please direct me elsewhere > if it is not. > > We are trying to stage a release on Nexus. As suggested here > <https://infra.apache.org/release-distribution> and here > <https://infra.apache.org/publishing-maven-artifacts.html>, I removed > the .md5 and .sha1 files for the .zip/.tar.gz files before closing the > release. > Note that these files are still signed with sha512. > > However, when I try to close the release the process fails with an error > saying that Apache Rules failed because there is no md5 and no sha1: > > Event: Failed: Checksum Validation > typeId checksum-staging > failureMessage Required SHA-1: > '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1' > failureMessage Required MD5: > '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5' > failureMessage Required SHA-1: > '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1' > failureMessage Required MD5: > '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5' > > > It appears that the "Apache Rules" in Nexus contradict the > recommendations in the documentation. > > Any suggestion what to do? > - Is there a way to specify different (newer?) Apache Rules to be > executed in Nexus? > - Can I configure the process? > - Should I leave sha1/md5 in the release? > > Any pointers are appreciated. > > In case it matters, here is our parent .pom: > https://github.com/apache/db-jdo/blob/3.2/parent-pom/pom.xml > > Thanks, > > Til > > >
