Hi Ivan, No, I haven't found a way yet. SHA1 still works, but I believe we should consider using better options in future releases.
Do you have any ideas on how to implement this? -Val On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <vololo...@gmail.com> wrote: > Folks, > > Were you able to resolve this? > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > valentin.kuliche...@gmail.com>: > > Hi Ivan, > > > > Thanks for your response. I've looked into the PGP plugin, and > > unfortunately it looks like it only can create signatures, but not > > checksums. > > > > -Val > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <bessonov...@gmail.com> > > wrote: > > > >> Hi, > >> > >> I've never done this before, but it seems like we need maven-gpg-plugin > >> for > >> it [1]. > >> > >> Algorithm configuration would look like this: > >> <gpgArguments> > >> <arg>--digest-algo=SHA512</arg> > >> </gpgArguments> > >> > >> Maybe this will help. > >> > >> [1] > >> > >> > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > >> > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > >> valentin.kuliche...@gmail.com>: > >> > >> > Igniters, > >> > > >> > I've been preparing the 3.0.0-alpha1 release and got confused about > the > >> > requirements for checksums in Maven deployments. The Apache > instruction > >> [1] > >> > states that MD5 is deprecated and SHA1 should be avoided in favor of > >> > SHA-256 or SHA-512. However, it looks like we are still using the > >> MD5/SHA1 > >> > combination (at least that's what the staging for 2.9.1 [2] contains). > >> > > >> > On top of that, I can't find an easy way to switch to another checksum > >> > - > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and > >> > doesn't seem to have any options to tweak this behavior. > >> > > >> > That said, I have two questions: > >> > > >> > 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > >> > 2. Is there a painless way to include SHA512 in addition to > >> > MD5/SHA1? > >> > > >> > Can anyone shed some light on this? > >> > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts > >> > [2] > >> > > >> > > >> > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > >> > [3] > >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > >> > > >> > -Val > >> > > >> > >> > >> -- > >> Sincerely yours, > >> Ivan Bessonov > >> > > > > > -- > > Best regards, > Ivan Pavlukhin >
