You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Janardhan <ja...@apache.org> on 2021/05/26 07:14:04 UTC
[maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Hi Maven team,
TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
1. We are trying to sign Apache SystemDS[0] release artifacts with
gpg-plugin,
we are only receiving the `.md5` and `.sha1` without the
`-Daether.checksums.algorithms=SHA-512` flag as per [1][4].
2. With the following command we are receiving the .asc file additionally.
But, not the `.sha512`.
mvn -P'distribution' deploy -DskiptTests \
-Daether.checksums.algorithms=SHA-512
3. I have read through the mail list[1] and some source code[3].
I have noted from discussion in [2] that the gpg arguments[5] in
pom.xml may not work but only work on the command line.
--
[0] https://github.com/apache/systemds/blob/master/pom.xml
[1] https://maven.apache.org/resolver/configuration.html
[2] https://www.mail-archive.com/users@maven.apache.org/msg142898.html
[3]
https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117
[4]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest
[5]
https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments
Thanks and regards,
Janardhan
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Posted by Frederik Boster <fr...@boster.de.INVALID>.
Hi Janardhan,
The maven-gpg-plugin is only responsible for creating the "asc" files which
contain the PGP signature.
The file hashes are created by maven-resolver, which supports SHA-512 since
version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ).
If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1.
So you would have to update your Maven to 3.8.1 and `
-Daether.checksums.algorithms=SHA-512 ` should work then.
Best Regards
Frederik
On Wed, May 26, 2021 at 9:14 AM Janardhan <ja...@apache.org> wrote:
> Hi Maven team,
>
> TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
>
> 1. We are trying to sign Apache SystemDS[0] release artifacts with
> gpg-plugin,
> we are only receiving the `.md5` and `.sha1` without the
> `-Daether.checksums.algorithms=SHA-512` flag as per [1][4].
>
> 2. With the following command we are receiving the .asc file additionally.
> But, not the `.sha512`.
>
> mvn -P'distribution' deploy -DskiptTests \
> -Daether.checksums.algorithms=SHA-512
>
>
> 3. I have read through the mail list[1] and some source code[3].
> I have noted from discussion in [2] that the gpg arguments[5] in
> pom.xml may not work but only work on the command line.
>
> --
> [0] https://github.com/apache/systemds/blob/master/pom.xml
> [1] https://maven.apache.org/resolver/configuration.html
> [2] https://www.mail-archive.com/users@maven.apache.org/msg142898.html
> [3]
>
> https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117
> [4]
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest
> [5]
>
> https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments
>
> Thanks and regards,
> Janardhan
>
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or
higher
Posted by Konrad Windszus <ko...@gmx.de>.
Look at https://issues.apache.org/jira/browse/MPOM-244 <https://issues.apache.org/jira/browse/MPOM-244> which should solve this for ASF projects.
Konrad
> On 27. May 2021, at 13:29, Janardhan <ja...@gmail.com> wrote:
>
> Thank you, for the generous response.
>
> The file hashes are created by maven-resolver, which supports SHA-512 since
>> version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ).
>> If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1.
>> So you would have to update your Maven to 3.8.1 and `
>> -Daether.checksums.algorithms=SHA-512 ` should work then.
>
>
> This works like a charm Frederik.
>
> The complete command I have used is
>
> ```sh
> mvn -P'distribution,rat' deploy -Daether.checksums.algorithms=SHA-512
> ```
>
> This is not signing, this is just a checksum for transport bitrot.
>
>
> Thanks Michael for clarification.
>
> I think this usage can be documented (explicitly). What do you think?
> I am open to giving a PR since all the apache projects use this
> functionality. :)
>
> Regards,
> Janardhan
>
>
> On Thu, May 27, 2021 at 1:27 PM Michael Osipov <mi...@apache.org> wrote:
>
>> Am 2021-05-26 um 09:14 schrieb Janardhan:
>>> Hi Maven team,
>>>
>>> TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
>>
>> This is not signing, this is just a checksum for transport bitrot.
>> If you need SHA-2 hashes use Resolver's new property for this.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>>
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or
higher
Posted by Konrad Windszus <ko...@gmx.de>.
Look at https://issues.apache.org/jira/browse/MPOM-244 <https://issues.apache.org/jira/browse/MPOM-244> which should solve this for ASF projects.
Konrad
> On 27. May 2021, at 13:29, Janardhan <ja...@gmail.com> wrote:
>
> Thank you, for the generous response.
>
> The file hashes are created by maven-resolver, which supports SHA-512 since
>> version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ).
>> If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1.
>> So you would have to update your Maven to 3.8.1 and `
>> -Daether.checksums.algorithms=SHA-512 ` should work then.
>
>
> This works like a charm Frederik.
>
> The complete command I have used is
>
> ```sh
> mvn -P'distribution,rat' deploy -Daether.checksums.algorithms=SHA-512
> ```
>
> This is not signing, this is just a checksum for transport bitrot.
>
>
> Thanks Michael for clarification.
>
> I think this usage can be documented (explicitly). What do you think?
> I am open to giving a PR since all the apache projects use this
> functionality. :)
>
> Regards,
> Janardhan
>
>
> On Thu, May 27, 2021 at 1:27 PM Michael Osipov <mi...@apache.org> wrote:
>
>> Am 2021-05-26 um 09:14 schrieb Janardhan:
>>> Hi Maven team,
>>>
>>> TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
>>
>> This is not signing, this is just a checksum for transport bitrot.
>> If you need SHA-2 hashes use Resolver's new property for this.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>> For additional commands, e-mail: dev-help@maven.apache.org
>>
>>
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Posted by Janardhan <ja...@gmail.com>.
Thank you, for the generous response.
The file hashes are created by maven-resolver, which supports SHA-512 since
> version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ).
> If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1.
> So you would have to update your Maven to 3.8.1 and `
> -Daether.checksums.algorithms=SHA-512 ` should work then.
This works like a charm Frederik.
The complete command I have used is
```sh
mvn -P'distribution,rat' deploy -Daether.checksums.algorithms=SHA-512
```
This is not signing, this is just a checksum for transport bitrot.
Thanks Michael for clarification.
I think this usage can be documented (explicitly). What do you think?
I am open to giving a PR since all the apache projects use this
functionality. :)
Regards,
Janardhan
On Thu, May 27, 2021 at 1:27 PM Michael Osipov <mi...@apache.org> wrote:
> Am 2021-05-26 um 09:14 schrieb Janardhan:
> > Hi Maven team,
> >
> > TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
>
> This is not signing, this is just a checksum for transport bitrot.
> If you need SHA-2 hashes use Resolver's new property for this.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Posted by Janardhan <ja...@gmail.com>.
Thank you, for the generous response.
The file hashes are created by maven-resolver, which supports SHA-512 since
> version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ).
> If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1.
> So you would have to update your Maven to 3.8.1 and `
> -Daether.checksums.algorithms=SHA-512 ` should work then.
This works like a charm Frederik.
The complete command I have used is
```sh
mvn -P'distribution,rat' deploy -Daether.checksums.algorithms=SHA-512
```
This is not signing, this is just a checksum for transport bitrot.
Thanks Michael for clarification.
I think this usage can be documented (explicitly). What do you think?
I am open to giving a PR since all the apache projects use this
functionality. :)
Regards,
Janardhan
On Thu, May 27, 2021 at 1:27 PM Michael Osipov <mi...@apache.org> wrote:
> Am 2021-05-26 um 09:14 schrieb Janardhan:
> > Hi Maven team,
> >
> > TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
>
> This is not signing, this is just a checksum for transport bitrot.
> If you need SHA-2 hashes use Resolver's new property for this.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or
higher
Posted by Michael Osipov <mi...@apache.org>.
Am 2021-05-26 um 09:14 schrieb Janardhan:
> Hi Maven team,
>
> TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks.
This is not signing, this is just a checksum for transport bitrot.
If you need SHA-2 hashes use Resolver's new property for this.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org