Hi
And here is another Grok AI reply (think harder mode)
https://grok.com/share/c2hhcmQtNQ_2c900d4c-f6e5-401a-9162-d526ac50c514
The error you're encountering during the staging repository closure is due
to Nexus's security validation rule ("no-traversal-paths-in-archive-file")
misidentifying one of your uploaded MD5 checksum files (e.g., something
like `artifact-name.pom.md5` or `artifact-name.jar.md5`) as a compressed
archive file (specifically, a cpio format archive). This happens because
the content of that particular MD5 file starts with a string like "070701"
or "070702", which matches the magic number for cpio archives.
When Nexus attempts to inspect it as an archive to check for insecure paths
(e.g., path traversal vulnerabilities), the parsing fails because it's not
actually an archive—it's just a text file containing a hash and filename.
This leads to the WalkerException and the nested IllegalArgumentException
about the "unknown mode," as the random bytes in the file don't conform to
a valid cpio header structure (e.g., the mode field is interpreted as
invalid hex like "5543562b").
### How to Identify the Problematic File
- Log in to your Sonatype Nexus OSSRH account and view the contents of the
staging repository (`orgapachecamel-1911`).
- Download all the .md5 files.
- Open them in a text editor or hex viewer and check which one starts with
"07070..." (e.g., "070702xxxxxxxx filename").
### Solutions
- **Short-term workaround:** Slightly modify the artifact associated with
the problematic .md5 file (e.g., add a space in a comment or update a
non-functional part of the POM) to regenerate a new hash that doesn't start
with the conflicting magic number. Then, redeploy to a new staging
repository.
- **Alternative:** Bump the version number of the affected artifact (e.g.,
from x.y.z to x.y.z+1) and redeploy. This will change the hash and avoid
the issue.
- **Long-term recommendation:** Consider generating and uploading stronger
checksums like SHA-256 (.sha256 files) alongside or instead of MD5/SHA1, as
longer hashes reduce the chance of magic number collisions. Update your
Maven build configuration to include this (e.g., via the
`maven-assembly-plugin` or `maven-deploy-plugin`). Sonatype supports
SHA-256, and it may help avoid similar edge cases in the future.
- If this persists across versions or you can't modify the artifacts,
contact Sonatype support via their OSSRH Jira (issues.sonatype.org) and
provide the staging repo ID and error logs for assistance—they may be able
to override or investigate server-side.
This is a known edge case in Nexus (versions around 2.x and 3.x), stemming
from content-based file type detection prioritizing magic numbers over file
extensions in some scenarios.
On Thu, Dec 11, 2025 at 10:09 PM Gregor Zurowski <[email protected]>
wrote:
> Hi Everyone:
>
> I have built the Camel 4.14.3 release candidate, but I am getting the
> following error when attempting to close the staging repository in
> Nexus:
>
> ```
> Event: Failed: Archives must not contain insecure paths
>
> typeId no-traversal-paths-in-archive-file
> failureMessage Rule evaluation unexpectedly failed:
> org.sonatype.nexus.proxy.walker.WalkerException: Aborted walking on
> repository ID='orgapachecamel-1911' from path='/'.
> x.x.causedBy.1 java.lang.IllegalArgumentException: Unknown mode. Full:
> 5543562b Masked: 5000
> x.x.causedBy.0 org.sonatype.nexus.proxy.walker.WalkerException:
> Aborted walking on repository ID='orgapachecamel-1911' from path='/'.
> ```
>
> Any ideas what might be causing this?
>
> Thanks in advance,
> Gregor
>
--
Claus Ibsen
