You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by hb...@apache.org on 2021/06/10 06:38:05 UTC
[maven-apache-parent] branch master updated: [MPOM-244] deploy
SHA-512 to remote repository for source-release (#40)
This is an automated email from the ASF dual-hosted git repository.
hboutemy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-apache-parent.git
The following commit(s) were added to refs/heads/master by this push:
new b08ef16 [MPOM-244] deploy SHA-512 to remote repository for source-release (#40)
b08ef16 is described below
commit b08ef161f1847a17b36b456f68bfa784770b6a58
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Thu Jun 10 08:38:00 2021 +0200
[MPOM-244] deploy SHA-512 to remote repository for source-release (#40)
* MPOM-244 upload SHA512 to staging repo as well
* reorder checksum and gpg
* exclude SHA512 from signing
* update to m-gpg-p 3.0.1 to not generate signatures for SHA-512 checksums
* calculate checksum in a phase prior to verify
---
pom.xml | 52 +++++++++++++++++++++++++---------------------------
1 file changed, 25 insertions(+), 27 deletions(-)
diff --git a/pom.xml b/pom.xml
index 4fab2fb..418d684 100644
--- a/pom.xml
+++ b/pom.xml
@@ -424,48 +424,46 @@ under the License.
</execution>
</executions>
</plugin>
- <!-- We want to sign the artifact, the POM, and all attached artifacts -->
+ <!-- calculate checksums of source release for Apache dist area -->
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-gpg-plugin</artifactId>
+ <groupId>net.nicoulaj.maven.plugins</groupId>
+ <artifactId>checksum-maven-plugin</artifactId>
+ <version>1.10</version>
<executions>
<execution>
- <id>sign-release-artifacts</id>
+ <id>source-release-checksum</id>
<goals>
- <goal>sign</goal>
+ <goal>artifacts</goal>
</goals>
+ <!-- execute prior to maven-gpg-plugin:sign due to https://github.com/nicoulaj/checksum-maven-plugin/issues/112 -->
+ <phase>post-integration-test</phase>
+ <configuration>
+ <algorithms>
+ <algorithm>SHA-512</algorithm>
+ </algorithms>
+ <!-- https://maven.apache.org/apache-resource-bundles/#source-release-assembly-descriptor -->
+ <includeClassifiers>source-release</includeClassifiers>
+ <excludeMainArtifact>true</excludeMainArtifact>
+ <csvSummary>false</csvSummary>
+ <!-- attach SHA-512 checksum as well to upload to Maven Staging Repo,
+ as this eases uploading from stage to dist and doesn't do harm in Maven Central -->
+ <attachChecksums>true</attachChecksums>
+ </configuration>
</execution>
</executions>
</plugin>
- <!-- calculate checksums of source release for Apache dist area -->
+ <!-- We want to sign the artifact, the POM, and all attached artifacts (except for SHA-512 checksum) -->
<plugin>
- <groupId>net.nicoulaj.maven.plugins</groupId>
- <artifactId>checksum-maven-plugin</artifactId>
- <version>1.9</version>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-gpg-plugin</artifactId>
<executions>
<execution>
- <id>source-release-checksum</id>
+ <id>sign-release-artifacts</id>
<goals>
- <goal>files</goal>
+ <goal>sign</goal>
</goals>
</execution>
</executions>
- <configuration>
- <algorithms>
- <algorithm>SHA-512</algorithm>
- </algorithms>
- <csvSummary>false</csvSummary>
- <fileSets>
- <fileSet>
- <directory>${project.build.directory}</directory>
- <includes>
- <include>${project.artifactId}-${project.version}-source-release.zip</include>
- <include>${project.artifactId}-${project.version}-source-release.tar*</include>
- </includes>
- </fileSet>
- </fileSets>
- <failIfNoFiles>false</failIfNoFiles><!-- usually, no file to do checksum: don't consider error -->
- </configuration>
</plugin>
</plugins>
</build>