Might be helpful: https://checksum-maven-plugin.nicoulaj.net/examples/using-custom-checksum-algorithms.html Delany
On Wed, 13 Oct 2021 at 12:10, Mickael Istria <mist...@redhat.com> wrote: > Hi all, > > While I'm investigating into Maven code to allow re-using checksums of > Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and > .sha1 seems to be used by Wagon and then also noticed that Maven Central > doesn't contain a "safe" digest signature either. > In this world of supply chain attacks, it could be important to use > stronger algorithms. > Sure, there is PGP signature, but PGP is not intended to verify the > transfer, it's more meant to allow delegating a trust decision from the > artifact to the signer; using it to verify transfer seems overkill, so we'd > rather avoid having to rely on it for transfer verification. > I tried to look on Jira and couldn't see an issue that seems dedicated to > this topic. As the concerns about md5 and sha1 are relatively old, I may > have missed something. > Is there an issue already open to move towards sha256 or should I create a > new one? > > Thanks in advance > > -- > Mickael Istria > Eclipse IDE <https://www.eclipse.org/eclipseide> developer, for Red Hat > Developers <https://developers.redhat.com/> >