Hi Ivan, Thanks for your response. I've looked into the PGP plugin, and unfortunately it looks like it only can create signatures, but not checksums.
-Val On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <bessonov...@gmail.com> wrote: > Hi, > > I've never done this before, but it seems like we need maven-gpg-plugin for > it [1]. > > Algorithm configuration would look like this: > <gpgArguments> > <arg>--digest-algo=SHA512</arg> > </gpgArguments> > > Maybe this will help. > > [1] > > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > > пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > valentin.kuliche...@gmail.com>: > > > Igniters, > > > > I've been preparing the 3.0.0-alpha1 release and got confused about the > > requirements for checksums in Maven deployments. The Apache instruction > [1] > > states that MD5 is deprecated and SHA1 should be avoided in favor of > > SHA-256 or SHA-512. However, it looks like we are still using the > MD5/SHA1 > > combination (at least that's what the staging for 2.9.1 [2] contains). > > > > On top of that, I can't find an easy way to switch to another checksum - > > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and > > doesn't seem to have any options to tweak this behavior. > > > > That said, I have two questions: > > > > 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > > 2. Is there a painless way to include SHA512 in addition to MD5/SHA1? > > > > Can anyone shed some light on this? > > > > [1] https://infra.apache.org/release-signing.html#basic-facts > > [2] > > > > > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > > [3] > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > > > > -Val > > > > > -- > Sincerely yours, > Ivan Bessonov >
