Val, I didn't found the way to make a local deploy. So I just make 'install'.
Yes you are right, only source jar is signed. Seems, we need to configure checksum plugin for signing binary jars as it is done in Maven-parent or any other project. чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko < valentin.kuliche...@gmail.com>: > Andrey, > > Did you try on the 2.x or 3.x? > > I've just tried to do the same in ignite-3, but it didn't work for me. I've > updated the parent pom version to 23 and ran "mvn clean deploy > -Papache-release". The source package is now signed with SHA512, which is > good, but there was no effect on the JAR artifacts. As a matter of fact, I > don't see any checksum files for them. My guess is that by default they are > generated by the deploy plugin, during the upload to Maven. Here is the > resulting staging (still MD5 and SHA1): > https://repository.apache.org/content/repositories/orgapacheignite-1505/ > > Does it behave in the same way for you? > > -Val > > On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov < > andrey.mashen...@gmail.com> > wrote: > > > I've made "mvn clean install" with enabled "apache-release" profile and > see > > *.sha-512 checksum files in target directories. > > So, upgrading to the latest apache parent looks sufficient. > > > > > > On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <mr.wei...@gmail.com> > wrote: > > > > > Is seems that parent is already updated in > > > https://issues.apache.org/jira/browse/IGNITE-13987 < > > > https://issues.apache.org/jira/browse/IGNITE-13987> > > > > > > > > > > > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko < > > > valentin.kuliche...@gmail.com> wrote: > > > > > > > > Andrey, > > > > > > > > This sounds even better. Can you create a ticket for this change? > > > > > > > > -Val > > > > > > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov < > > > andrey.mashen...@gmail.com> > > > > wrote: > > > > > > > >> Val, > > > >> > > > >> I've just found Maven projects use SHA-512. > > > >> I passed through commits and found they just switched to newer > parent > > > >> org.apache:apache pom. > > > >> I've compared our current parent pom with the latest available one > > > >> (org.apache:apache:16 vs org.apache:apache:23) > > > >> and then found checksum-maven-plugin was added [1] somewhen in > > between. > > > >> > > > >> So, seems we have to switched to newer apache pom and maybe add > > > >> checksum-maven-plugin > > > >> to our main pom. > > > >> > > > >> [1] > > > >> > > > >> > > > > > > https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a > > > >> > > > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < > > > >> valentin.kuliche...@gmail.com> wrote: > > > >> > > > >>> Hi Andrey, > > > >>> > > > >>> This indeed sounds like the cleanest way. I don't know how much > > effort > > > >> that > > > >>> would be though. > > > >>> > > > >>> -Val > > > >>> > > > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < > > > >>> andrey.mashen...@gmail.com> wrote: > > > >>> > > > >>>> Maybe, we could donate to maven plugin possibility to switch to > > > >> SHA-512. > > > >>>> Hopefully, a new plugin version will be released before we have > any > > > >>> release > > > >>>> candidate. > > > >>>> > > > >>>> Is it looks like a big deal? > > > >>>> > > > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < > > > >>>> valentin.kuliche...@gmail.com>: > > > >>>> > > > >>>>> Hi Ivan, > > > >>>>> > > > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we > > > >>> should > > > >>>>> consider using better options in future releases. > > > >>>>> > > > >>>>> Do you have any ideas on how to implement this? > > > >>>>> > > > >>>>> -Val > > > >>>>> > > > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin < > > vololo...@gmail.com> > > > >>>>> wrote: > > > >>>>> > > > >>>>>> Folks, > > > >>>>>> > > > >>>>>> Were you able to resolve this? > > > >>>>>> > > > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > > > >>>>>> valentin.kuliche...@gmail.com>: > > > >>>>>>> Hi Ivan, > > > >>>>>>> > > > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and > > > >>>>>>> unfortunately it looks like it only can create signatures, but > > > >> not > > > >>>>>>> checksums. > > > >>>>>>> > > > >>>>>>> -Val > > > >>>>>>> > > > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < > > > >>>> bessonov...@gmail.com> > > > >>>>>>> wrote: > > > >>>>>>> > > > >>>>>>>> Hi, > > > >>>>>>>> > > > >>>>>>>> I've never done this before, but it seems like we need > > > >>>>> maven-gpg-plugin > > > >>>>>>>> for > > > >>>>>>>> it [1]. > > > >>>>>>>> > > > >>>>>>>> Algorithm configuration would look like this: > > > >>>>>>>> <gpgArguments> > > > >>>>>>>> <arg>--digest-algo=SHA512</arg> > > > >>>>>>>> </gpgArguments> > > > >>>>>>>> > > > >>>>>>>> Maybe this will help. > > > >>>>>>>> > > > >>>>>>>> [1] > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>> > > > >>>>> > > > >>>> > > > >>> > > > >> > > > > > > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > > > >>>>>>>> > > > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > > > >>>>>>>> valentin.kuliche...@gmail.com>: > > > >>>>>>>> > > > >>>>>>>>> Igniters, > > > >>>>>>>>> > > > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused > > > >>>> about > > > >>>>>> the > > > >>>>>>>>> requirements for checksums in Maven deployments. The Apache > > > >>>>>> instruction > > > >>>>>>>> [1] > > > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in > > > >>> favor > > > >>>> of > > > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using > > > >>> the > > > >>>>>>>> MD5/SHA1 > > > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2] > > > >>>>> contains). > > > >>>>>>>>> > > > >>>>>>>>> On top of that, I can't find an easy way to switch to another > > > >>>>> checksum > > > >>>>>>>>> - > > > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files > > > >> automatically > > > >>>> and > > > >>>>>>>>> doesn't seem to have any options to tweak this behavior. > > > >>>>>>>>> > > > >>>>>>>>> That said, I have two questions: > > > >>>>>>>>> > > > >>>>>>>>> 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > > > >>>>>>>>> 2. Is there a painless way to include SHA512 in addition to > > > >>>>>>>>> MD5/SHA1? > > > >>>>>>>>> > > > >>>>>>>>> Can anyone shed some light on this? > > > >>>>>>>>> > > > >>>>>>>>> [1] > https://infra.apache.org/release-signing.html#basic-facts > > > >>>>>>>>> [2] > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>> > > > >>>>> > > > >>>> > > > >>> > > > >> > > > > > > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > > > >>>>>>>>> [3] > > > >>>>>>>> > > > >>>> > > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > > > >>>>>>>>> > > > >>>>>>>>> -Val > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> -- > > > >>>>>>>> Sincerely yours, > > > >>>>>>>> Ivan Bessonov > > > >>>>>>>> > > > >>>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> -- > > > >>>>>> > > > >>>>>> Best regards, > > > >>>>>> Ivan Pavlukhin > > > >>>>>> > > > >>>>> > > > >>>> > > > >>> > > > >> > > > >> > > > >> -- > > > >> Best regards, > > > >> Andrey V. Mashenkov > > > >> > > > > > > > > > > -- > > Best regards, > > Andrey V. Mashenkov > > >
