[
https://issues.apache.org/jira/browse/MRM-2018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Hoffmann updated MRM-2018:
---------------------------------
Description:
Hello,
since Gradle 6.0.1, additionally to the md5 and sha1 signatures, also sha256
and sha512 signatures are created, see Release-Notes:
[https://docs.gradle.org/6.0.1/release-notes.html]
When Gradle 6 uploads the artifcats, there are two additional files:
* maven-metadata.xml.sha256
* maven-metadata.xml.sha512
Unfortunately, the website to view the artifacts can't be opened in archiva. An
error message "Could not retrieve metadata of the files" is shown.
The logfile additionally shows:
{{2020-08-14 14:26:14,886 [ajp-nio-127.0.0.1-8009-exec-41] WARN
org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path
'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha256' is invalid.}}
{{2020-08-14 14:26:14,904 [ajp-nio-127.0.0.1-8009-exec-37] WARN
org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path
'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha512' is invalid.}}
It would be great, if Archiva could implement the new sha2-signatures or at
least ignore them. In the current situation, gradle 6 and above is killing the
website viewing the artifacts.
As a temporary workaround, we can tell gradle to not create the new sha2
signatures via the switch "org.gradle.internal.publish.checksums.insecure=true"
was:
Hello,
since Gradle 6.0.1, additionally to the md5 and sha1 signatures, also sha256
and sha512 signatures are created, see Release-Notes:
[https://docs.gradle.org/6.0.1/release-notes.html]
When Gradle 6 uploads the artifcats, there are two additional files:
* maven-metadata.xml.sha256
* maven-metadata.xml.sha512
Unfortunately, the website to view the artifacts can't be opened in archiva. An
error message "Could not retrieve metadata of the files" is shown.
The logfile additionally shows:
{{2020-08-14 14:26:14,886 [ajp-nio-127.0.0.1-8009-exec-41] WARN
org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path
'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha256' is invalid.}}
{{2020-08-14 14:26:14,904 [ajp-nio-127.0.0.1-8009-exec-37] WARN
org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path
'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha512' is invalid.}}
It would be great, if Archiva could implement the new sha2-signatures or at
least ignore them. In the current situation, gradle 6 and above is killing the
website viewing the artifacts.
> Support for sha256 and sha512 Signatures of Gradle 6
> ----------------------------------------------------
>
> Key: MRM-2018
> URL: https://issues.apache.org/jira/browse/MRM-2018
> Project: Archiva
> Issue Type: Bug
> Affects Versions: 2.2.4
> Environment: Windows Server 2016
> Reporter: Thomas Hoffmann
> Priority: Major
>
> Hello,
> since Gradle 6.0.1, additionally to the md5 and sha1 signatures, also sha256
> and sha512 signatures are created, see Release-Notes:
> [https://docs.gradle.org/6.0.1/release-notes.html]
> When Gradle 6 uploads the artifcats, there are two additional files:
> * maven-metadata.xml.sha256
> * maven-metadata.xml.sha512
> Unfortunately, the website to view the artifacts can't be opened in archiva.
> An error message "Could not retrieve metadata of the files" is shown.
> The logfile additionally shows:
> {{2020-08-14 14:26:14,886 [ajp-nio-127.0.0.1-8009-exec-41] WARN
> org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path
> 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha256' is invalid.}}
> {{2020-08-14 14:26:14,904 [ajp-nio-127.0.0.1-8009-exec-37] WARN
> org.apache.archiva.webdav.ArchivaDavResourceFactory [] - Artifact path
> 'com/xxx/1.2033-SNAPSHOT/maven-metadata.xml.sha512' is invalid.}}
> It would be great, if Archiva could implement the new sha2-signatures or at
> least ignore them. In the current situation, gradle 6 and above is killing
> the website viewing the artifacts.
> As a temporary workaround, we can tell gradle to not create the new sha2
> signatures via the switch
> "org.gradle.internal.publish.checksums.insecure=true"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
