Hi Janardhan, The maven-gpg-plugin is only responsible for creating the "asc" files which contain the PGP signature.
The file hashes are created by maven-resolver, which supports SHA-512 since version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ). If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1. So you would have to update your Maven to 3.8.1 and ` -Daether.checksums.algorithms=SHA-512 ` should work then. Best Regards Frederik On Wed, May 26, 2021 at 9:14 AM Janardhan <janard...@apache.org> wrote: > Hi Maven team, > > TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks. > > 1. We are trying to sign Apache SystemDS[0] release artifacts with > gpg-plugin, > we are only receiving the `.md5` and `.sha1` without the > `-Daether.checksums.algorithms=SHA-512` flag as per [1][4]. > > 2. With the following command we are receiving the .asc file additionally. > But, not the `.sha512`. > > mvn -P'distribution' deploy -DskiptTests \ > -Daether.checksums.algorithms=SHA-512 > > > 3. I have read through the mail list[1] and some source code[3]. > I have noted from discussion in [2] that the gpg arguments[5] in > pom.xml may not work but only work on the command line. > > -- > [0] https://github.com/apache/systemds/blob/master/pom.xml > [1] https://maven.apache.org/resolver/configuration.html > [2] https://www.mail-archive.com/users@maven.apache.org/msg142898.html > [3] > > https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117 > [4] > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest > [5] > > https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments > > Thanks and regards, > Janardhan >
