Andrey, Did you try on the 2.x or 3.x?
I've just tried to do the same in ignite-3, but it didn't work for me. I've updated the parent pom version to 23 and ran "mvn clean deploy -Papache-release". The source package is now signed with SHA512, which is good, but there was no effect on the JAR artifacts. As a matter of fact, I don't see any checksum files for them. My guess is that by default they are generated by the deploy plugin, during the upload to Maven. Here is the resulting staging (still MD5 and SHA1): https://repository.apache.org/content/repositories/orgapacheignite-1505/ Does it behave in the same way for you? -Val On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov <andrey.mashen...@gmail.com> wrote: > I've made "mvn clean install" with enabled "apache-release" profile and see > *.sha-512 checksum files in target directories. > So, upgrading to the latest apache parent looks sufficient. > > > On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <mr.wei...@gmail.com> wrote: > > > Is seems that parent is already updated in > > https://issues.apache.org/jira/browse/IGNITE-13987 < > > https://issues.apache.org/jira/browse/IGNITE-13987> > > > > > > > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko < > > valentin.kuliche...@gmail.com> wrote: > > > > > > Andrey, > > > > > > This sounds even better. Can you create a ticket for this change? > > > > > > -Val > > > > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov < > > andrey.mashen...@gmail.com> > > > wrote: > > > > > >> Val, > > >> > > >> I've just found Maven projects use SHA-512. > > >> I passed through commits and found they just switched to newer parent > > >> org.apache:apache pom. > > >> I've compared our current parent pom with the latest available one > > >> (org.apache:apache:16 vs org.apache:apache:23) > > >> and then found checksum-maven-plugin was added [1] somewhen in > between. > > >> > > >> So, seems we have to switched to newer apache pom and maybe add > > >> checksum-maven-plugin > > >> to our main pom. > > >> > > >> [1] > > >> > > >> > > > https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a > > >> > > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < > > >> valentin.kuliche...@gmail.com> wrote: > > >> > > >>> Hi Andrey, > > >>> > > >>> This indeed sounds like the cleanest way. I don't know how much > effort > > >> that > > >>> would be though. > > >>> > > >>> -Val > > >>> > > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < > > >>> andrey.mashen...@gmail.com> wrote: > > >>> > > >>>> Maybe, we could donate to maven plugin possibility to switch to > > >> SHA-512. > > >>>> Hopefully, a new plugin version will be released before we have any > > >>> release > > >>>> candidate. > > >>>> > > >>>> Is it looks like a big deal? > > >>>> > > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < > > >>>> valentin.kuliche...@gmail.com>: > > >>>> > > >>>>> Hi Ivan, > > >>>>> > > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we > > >>> should > > >>>>> consider using better options in future releases. > > >>>>> > > >>>>> Do you have any ideas on how to implement this? > > >>>>> > > >>>>> -Val > > >>>>> > > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin < > vololo...@gmail.com> > > >>>>> wrote: > > >>>>> > > >>>>>> Folks, > > >>>>>> > > >>>>>> Were you able to resolve this? > > >>>>>> > > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > > >>>>>> valentin.kuliche...@gmail.com>: > > >>>>>>> Hi Ivan, > > >>>>>>> > > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and > > >>>>>>> unfortunately it looks like it only can create signatures, but > > >> not > > >>>>>>> checksums. > > >>>>>>> > > >>>>>>> -Val > > >>>>>>> > > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < > > >>>> bessonov...@gmail.com> > > >>>>>>> wrote: > > >>>>>>> > > >>>>>>>> Hi, > > >>>>>>>> > > >>>>>>>> I've never done this before, but it seems like we need > > >>>>> maven-gpg-plugin > > >>>>>>>> for > > >>>>>>>> it [1]. > > >>>>>>>> > > >>>>>>>> Algorithm configuration would look like this: > > >>>>>>>> <gpgArguments> > > >>>>>>>> <arg>--digest-algo=SHA512</arg> > > >>>>>>>> </gpgArguments> > > >>>>>>>> > > >>>>>>>> Maybe this will help. > > >>>>>>>> > > >>>>>>>> [1] > > >>>>>>>> > > >>>>>>>> > > >>>>>> > > >>>>> > > >>>> > > >>> > > >> > > > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > > >>>>>>>> > > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > > >>>>>>>> valentin.kuliche...@gmail.com>: > > >>>>>>>> > > >>>>>>>>> Igniters, > > >>>>>>>>> > > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused > > >>>> about > > >>>>>> the > > >>>>>>>>> requirements for checksums in Maven deployments. The Apache > > >>>>>> instruction > > >>>>>>>> [1] > > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in > > >>> favor > > >>>> of > > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using > > >>> the > > >>>>>>>> MD5/SHA1 > > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2] > > >>>>> contains). > > >>>>>>>>> > > >>>>>>>>> On top of that, I can't find an easy way to switch to another > > >>>>> checksum > > >>>>>>>>> - > > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files > > >> automatically > > >>>> and > > >>>>>>>>> doesn't seem to have any options to tweak this behavior. > > >>>>>>>>> > > >>>>>>>>> That said, I have two questions: > > >>>>>>>>> > > >>>>>>>>> 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > > >>>>>>>>> 2. Is there a painless way to include SHA512 in addition to > > >>>>>>>>> MD5/SHA1? > > >>>>>>>>> > > >>>>>>>>> Can anyone shed some light on this? > > >>>>>>>>> > > >>>>>>>>> [1] https://infra.apache.org/release-signing.html#basic-facts > > >>>>>>>>> [2] > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>> > > >>>>> > > >>>> > > >>> > > >> > > > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > > >>>>>>>>> [3] > > >>>>>>>> > > >>>> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > > >>>>>>>>> > > >>>>>>>>> -Val > > >>>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> -- > > >>>>>>>> Sincerely yours, > > >>>>>>>> Ivan Bessonov > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >>>>>> > > >>>>>> -- > > >>>>>> > > >>>>>> Best regards, > > >>>>>> Ivan Pavlukhin > > >>>>>> > > >>>>> > > >>>> > > >>> > > >> > > >> > > >> -- > > >> Best regards, > > >> Andrey V. Mashenkov > > >> > > > > > > -- > Best regards, > Andrey V. Mashenkov >
