Maybe, we could donate to maven plugin possibility to switch to SHA-512. Hopefully, a new plugin version will be released before we have any release candidate.
Is it looks like a big deal? ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < valentin.kuliche...@gmail.com>: > Hi Ivan, > > No, I haven't found a way yet. SHA1 still works, but I believe we should > consider using better options in future releases. > > Do you have any ideas on how to implement this? > > -Val > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <vololo...@gmail.com> > wrote: > > > Folks, > > > > Were you able to resolve this? > > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > > valentin.kuliche...@gmail.com>: > > > Hi Ivan, > > > > > > Thanks for your response. I've looked into the PGP plugin, and > > > unfortunately it looks like it only can create signatures, but not > > > checksums. > > > > > > -Val > > > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <bessonov...@gmail.com> > > > wrote: > > > > > >> Hi, > > >> > > >> I've never done this before, but it seems like we need > maven-gpg-plugin > > >> for > > >> it [1]. > > >> > > >> Algorithm configuration would look like this: > > >> <gpgArguments> > > >> <arg>--digest-algo=SHA512</arg> > > >> </gpgArguments> > > >> > > >> Maybe this will help. > > >> > > >> [1] > > >> > > >> > > > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > > >> > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > > >> valentin.kuliche...@gmail.com>: > > >> > > >> > Igniters, > > >> > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused about > > the > > >> > requirements for checksums in Maven deployments. The Apache > > instruction > > >> [1] > > >> > states that MD5 is deprecated and SHA1 should be avoided in favor of > > >> > SHA-256 or SHA-512. However, it looks like we are still using the > > >> MD5/SHA1 > > >> > combination (at least that's what the staging for 2.9.1 [2] > contains). > > >> > > > >> > On top of that, I can't find an easy way to switch to another > checksum > > >> > - > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and > > >> > doesn't seem to have any options to tweak this behavior. > > >> > > > >> > That said, I have two questions: > > >> > > > >> > 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > > >> > 2. Is there a painless way to include SHA512 in addition to > > >> > MD5/SHA1? > > >> > > > >> > Can anyone shed some light on this? > > >> > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts > > >> > [2] > > >> > > > >> > > > >> > > > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > > >> > [3] > > >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > > >> > > > >> > -Val > > >> > > > >> > > >> > > >> -- > > >> Sincerely yours, > > >> Ivan Bessonov > > >> > > > > > > > > > -- > > > > Best regards, > > Ivan Pavlukhin > > >