You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@maven.apache.org by Janardhan <ja...@apache.org> on 2021/05/25 15:29:21 UTC

[maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher

Hi Maven team,

TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.

1. We are trying to Apache SystemDS[0] release artifacts with gpg-plugin,
we are only  receiving the `.md5` and `.sha1` without the
`-Daether.checksums.algorithms=SHA-512` flag as per [1][4].

2. With the following command we are receiving the .asc file additionally.
But, not the `.sha512`.

mvn -P'distribution' deploy -DskiptTests \
  -Daether.checksums.algorithms=SHA-512


3. I have read through the mail list[1] and some source code[3].
I have noted from discussion in [2] that the gpg arguments[5] in
pom.xml may not work but only work on the command line.


--
[0] https://github.com/apache/systemds/blob/master/pom.xml
[1] https://maven.apache.org/resolver/configuration.html
[2] https://www.mail-archive.com/users@maven.apache.org/msg142898.html
[3]
https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117
[4]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest
[5]
https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments

Thanks and regards,
Janardhan