Hi,
I've never done this before, but it seems like we need maven-gpg-plugin for
it [1].
Algorithm configuration would look like this:
<gpgArguments>
<arg>--digest-algo=SHA512</arg>
</gpgArguments>
Maybe this will help.
[1]
http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
valentin.kuliche...@gmail.com>:
> Igniters,
>
> I've been preparing the 3.0.0-alpha1 release and got confused about the
> requirements for checksums in Maven deployments. The Apache instruction [1]
> states that MD5 is deprecated and SHA1 should be avoided in favor of
> SHA-256 or SHA-512. However, it looks like we are still using the MD5/SHA1
> combination (at least that's what the staging for 2.9.1 [2] contains).
>
> On top of that, I can't find an easy way to switch to another checksum -
> Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> doesn't seem to have any options to tweak this behavior.
>
> That said, I have two questions:
>
> 1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> 2. Is there a painless way to include SHA512 in addition to MD5/SHA1?
>
> Can anyone shed some light on this?
>
> [1] https://infra.apache.org/release-signing.html#basic-facts
> [2]
>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> [3] https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>
> -Val
>
--
Sincerely yours,
Ivan Bessonov
