Hi Andrey, This indeed sounds like the cleanest way. I don't know how much effort that would be though.
-Val On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < andrey.mashen...@gmail.com> wrote: > Maybe, we could donate to maven plugin possibility to switch to SHA-512. > Hopefully, a new plugin version will be released before we have any release > candidate. > > Is it looks like a big deal? > > ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < > valentin.kuliche...@gmail.com>: > > > Hi Ivan, > > > > No, I haven't found a way yet. SHA1 still works, but I believe we should > > consider using better options in future releases. > > > > Do you have any ideas on how to implement this? > > > > -Val > > > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <vololo...@gmail.com> > > wrote: > > > > > Folks, > > > > > > Were you able to resolve this? > > > > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > > > valentin.kuliche...@gmail.com>: > > > > Hi Ivan, > > > > > > > > Thanks for your response. I've looked into the PGP plugin, and > > > > unfortunately it looks like it only can create signatures, but not > > > > checksums. > > > > > > > > -Val > > > > > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < > bessonov...@gmail.com> > > > > wrote: > > > > > > > >> Hi, > > > >> > > > >> I've never done this before, but it seems like we need > > maven-gpg-plugin > > > >> for > > > >> it [1]. > > > >> > > > >> Algorithm configuration would look like this: > > > >> <gpgArguments> > > > >> <arg>--digest-algo=SHA512</arg> > > > >> </gpgArguments> > > > >> > > > >> Maybe this will help. > > > >> > > > >> [1] > > > >> > > > >> > > > > > > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > > > >> > > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > > > >> valentin.kuliche...@gmail.com>: > > > >> > > > >> > Igniters, > > > >> > > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused > about > > > the > > > >> > requirements for checksums in Maven deployments. The Apache > > > instruction > > > >> [1] > > > >> > states that MD5 is deprecated and SHA1 should be avoided in favor > of > > > >> > SHA-256 or SHA-512. However, it looks like we are still using the > > > >> MD5/SHA1 > > > >> > combination (at least that's what the staging for 2.9.1 [2] > > contains). > > > >> > > > > >> > On top of that, I can't find an easy way to switch to another > > checksum > > > >> > - > > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically > and > > > >> > doesn't seem to have any options to tweak this behavior. > > > >> > > > > >> > That said, I have two questions: > > > >> > > > > >> > 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > > > >> > 2. Is there a painless way to include SHA512 in addition to > > > >> > MD5/SHA1? > > > >> > > > > >> > Can anyone shed some light on this? > > > >> > > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts > > > >> > [2] > > > >> > > > > >> > > > > >> > > > > > > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > > > >> > [3] > > > >> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > > > >> > > > > >> > -Val > > > >> > > > > >> > > > >> > > > >> -- > > > >> Sincerely yours, > > > >> Ivan Bessonov > > > >> > > > > > > > > > > > > > -- > > > > > > Best regards, > > > Ivan Pavlukhin > > > > > >
