You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Thomas Hoffmann (Jira)" <ji...@apache.org> on 2020/08/14 13:30:00 UTC
[jira] [Updated] (MRM-2018) Support for sha256 and sha512
Signatures of Gradle 6
[ https://issues.apache.org/jira/browse/MRM-2018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thomas Hoffmann updated MRM-2018:
---------------------------------
Description:
Hello,
since Gradle 6.0.1, additionally to the md5 and sha1 signatures, also sha256 and sha512 signatures are created, see Release-Notes: [https://docs.gradle.org/6.0.1/release-notes.html]
When Gradle 6 uploads the artifcats, there are two additional files:
* maven-metadata.xml.sha256
* maven-metadata.xml.sha512
Unfortunately, the website to view the artifacts can't be opened in archiva. An error message "Could not retrieve metadata of the files" is shown.
The logfile additionally shows:
{{2020-08-14 14:26:14,886 [ajp-nio-127.0.0.1-8009-exec-41] WARN org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha256' is invalid.}}
{{2020-08-14 14:26:14,904 [ajp-nio-127.0.0.1-8009-exec-37] WARN org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha512' is invalid.}}
It would be great, if Archiva could implement the new sha2-signatures or at least ignore them. In the current situation, gradle 6 and above is killing the website viewing the artifacts.
As a temporary workaround, we can tell gradle to not create the new sha2 signatures via the switch "org.gradle.internal.publish.checksums.insecure=true"
was:
Hello,
since Gradle 6.0.1, additionally to the md5 and sha1 signatures, also sha256 and sha512 signatures are created, see Release-Notes: [https://docs.gradle.org/6.0.1/release-notes.html]
When Gradle 6 uploads the artifcats, there are two additional files:
* maven-metadata.xml.sha256
* maven-metadata.xml.sha512
Unfortunately, the website to view the artifacts can't be opened in archiva. An error message "Could not retrieve metadata of the files" is shown.
The logfile additionally shows:
{{2020-08-14 14:26:14,886 [ajp-nio-127.0.0.1-8009-exec-41] WARN org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha256' is invalid.}}
{{2020-08-14 14:26:14,904 [ajp-nio-127.0.0.1-8009-exec-37] WARN org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha512' is invalid.}}
It would be great, if Archiva could implement the new sha2-signatures or at least ignore them. In the current situation, gradle 6 and above is killing the website viewing the artifacts.
> Support for sha256 and sha512 Signatures of Gradle 6
> ----------------------------------------------------
>
> Key: MRM-2018
> URL: https://issues.apache.org/jira/browse/MRM-2018
> Project: Archiva
> Issue Type: Bug
> Affects Versions: 2.2.4
> Environment: Windows Server 2016
> Reporter: Thomas Hoffmann
> Priority: Major
>
> Hello,
> since Gradle 6.0.1, additionally to the md5 and sha1 signatures, also sha256 and sha512 signatures are created, see Release-Notes: [https://docs.gradle.org/6.0.1/release-notes.html]
> When Gradle 6 uploads the artifcats, there are two additional files:
> * maven-metadata.xml.sha256
> * maven-metadata.xml.sha512
> Unfortunately, the website to view the artifacts can't be opened in archiva. An error message "Could not retrieve metadata of the files" is shown.
> The logfile additionally shows:
> {{2020-08-14 14:26:14,886 [ajp-nio-127.0.0.1-8009-exec-41] WARN org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha256' is invalid.}}
> {{2020-08-14 14:26:14,904 [ajp-nio-127.0.0.1-8009-exec-37] WARN org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha512' is invalid.}}
> It would be great, if Archiva could implement the new sha2-signatures or at least ignore them. In the current situation, gradle 6 and above is killing the website viewing the artifacts.
> As a temporary workaround, we can tell gradle to not create the new sha2 signatures via the switch "org.gradle.internal.publish.checksums.insecure=true"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)