Folks, Were you able to resolve this?
2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <valentin.kuliche...@gmail.com>: > Hi Ivan, > > Thanks for your response. I've looked into the PGP plugin, and > unfortunately it looks like it only can create signatures, but not > checksums. > > -Val > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <bessonov...@gmail.com> > wrote: > >> Hi, >> >> I've never done this before, but it seems like we need maven-gpg-plugin >> for >> it [1]. >> >> Algorithm configuration would look like this: >> <gpgArguments> >> <arg>--digest-algo=SHA512</arg> >> </gpgArguments> >> >> Maybe this will help. >> >> [1] >> >> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html >> >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < >> valentin.kuliche...@gmail.com>: >> >> > Igniters, >> > >> > I've been preparing the 3.0.0-alpha1 release and got confused about the >> > requirements for checksums in Maven deployments. The Apache instruction >> [1] >> > states that MD5 is deprecated and SHA1 should be avoided in favor of >> > SHA-256 or SHA-512. However, it looks like we are still using the >> MD5/SHA1 >> > combination (at least that's what the staging for 2.9.1 [2] contains). >> > >> > On top of that, I can't find an easy way to switch to another checksum >> > - >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and >> > doesn't seem to have any options to tweak this behavior. >> > >> > That said, I have two questions: >> > >> > 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? >> > 2. Is there a painless way to include SHA512 in addition to >> > MD5/SHA1? >> > >> > Can anyone shed some light on this? >> > >> > [1] https://infra.apache.org/release-signing.html#basic-facts >> > [2] >> > >> > >> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ >> > [3] >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html >> > >> > -Val >> > >> >> >> -- >> Sincerely yours, >> Ivan Bessonov >> > -- Best regards, Ivan Pavlukhin
