Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Look at https://issues.apache.org/jira/browse/MPOM-244 <https://issues.apache.org/jira/browse/MPOM-244> which should solve this for ASF projects. Konrad > On 27. May 2021, at 13:29, Janardhan wrote: > > Thank you, for the generous response. > > The file hashes are created by maven-resolver, which supports SHA-512 since >> version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ). >> If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1. >> So you would have to update your Maven to 3.8.1 and ` >> -Daether.checksums.algorithms=SHA-512 ` should work then. > > > This works like a charm Frederik. > > The complete command I have used is > > ```sh > mvn -P'distribution,rat' deploy -Daether.checksums.algorithms=SHA-512 > ``` > > This is not signing, this is just a checksum for transport bitrot. > > > Thanks Michael for clarification. > > I think this usage can be documented (explicitly). What do you think? > I am open to giving a PR since all the apache projects use this > functionality. :) > > Regards, > Janardhan > > > On Thu, May 27, 2021 at 1:27 PM Michael Osipov wrote: > >> Am 2021-05-26 um 09:14 schrieb Janardhan: >>> Hi Maven team, >>> >>> TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks. >> >> This is not signing, this is just a checksum for transport bitrot. >> If you need SHA-2 hashes use Resolver's new property for this. >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> >>
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Thank you, for the generous response. The file hashes are created by maven-resolver, which supports SHA-512 since > version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ). > If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1. > So you would have to update your Maven to 3.8.1 and ` > -Daether.checksums.algorithms=SHA-512 ` should work then. This works like a charm Frederik. The complete command I have used is ```sh mvn -P'distribution,rat' deploy -Daether.checksums.algorithms=SHA-512 ``` This is not signing, this is just a checksum for transport bitrot. Thanks Michael for clarification. I think this usage can be documented (explicitly). What do you think? I am open to giving a PR since all the apache projects use this functionality. :) Regards, Janardhan On Thu, May 27, 2021 at 1:27 PM Michael Osipov wrote: > Am 2021-05-26 um 09:14 schrieb Janardhan: > > Hi Maven team, > > > > TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks. > > This is not signing, this is just a checksum for transport bitrot. > If you need SHA-2 hashes use Resolver's new property for this. > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Am 2021-05-26 um 09:14 schrieb Janardhan: Hi Maven team, TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks. This is not signing, this is just a checksum for transport bitrot. If you need SHA-2 hashes use Resolver's new property for this. - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: [maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Hi Janardhan, The maven-gpg-plugin is only responsible for creating the "asc" files which contain the PGP signature. The file hashes are created by maven-resolver, which supports SHA-512 since version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ). If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1. So you would have to update your Maven to 3.8.1 and ` -Daether.checksums.algorithms=SHA-512 ` should work then. Best Regards Frederik On Wed, May 26, 2021 at 9:14 AM Janardhan wrote: > Hi Maven team, > > TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks. > > 1. We are trying to sign Apache SystemDS[0] release artifacts with > gpg-plugin, > we are only receiving the `.md5` and `.sha1` without the > `-Daether.checksums.algorithms=SHA-512` flag as per [1][4]. > > 2. With the following command we are receiving the .asc file additionally. > But, not the `.sha512`. > > mvn -P'distribution' deploy -DskiptTests \ > -Daether.checksums.algorithms=SHA-512 > > > 3. I have read through the mail list[1] and some source code[3]. > I have noted from discussion in [2] that the gpg arguments[5] in > pom.xml may not work but only work on the command line. > > -- > [0] https://github.com/apache/systemds/blob/master/pom.xml > [1] https://maven.apache.org/resolver/configuration.html > [2] https://www.mail-archive.com/users@maven.apache.org/msg142898.html > [3] > > https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117 > [4] > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest > [5] > > https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments > > Thanks and regards, > Janardhan >
[maven-gpg-plugin] Unable to sign artifacts with SHA-256 or higher
Hi Maven team, TL;DR: Can we sign (SHA-512) artifacts with gpg plugin and how?. Thanks. 1. We are trying to sign Apache SystemDS[0] release artifacts with gpg-plugin, we are only receiving the `.md5` and `.sha1` without the `-Daether.checksums.algorithms=SHA-512` flag as per [1][4]. 2. With the following command we are receiving the .asc file additionally. But, not the `.sha512`. mvn -P'distribution' deploy -DskiptTests \ -Daether.checksums.algorithms=SHA-512 3. I have read through the mail list[1] and some source code[3]. I have noted from discussion in [2] that the gpg arguments[5] in pom.xml may not work but only work on the command line. -- [0] https://github.com/apache/systemds/blob/master/pom.xml [1] https://maven.apache.org/resolver/configuration.html [2] https://www.mail-archive.com/users@maven.apache.org/msg142898.html [3] https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117 [4] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest [5] https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments Thanks and regards, Janardhan
Re: SHA
Oleg Gusakov wrote: fyi: - maven password encryption uses SHA-256 and switching to SHA-512 could be done using optional encrypted string attributes to ensure decryption of the existing passwords. SHA-256 is already SHA2 family and has not been cracked yet, so we can wait. Main question was availability of SHA-512 in all targeted JVMs - Mercury signature generation uses SHA-1, I will explore switching it to SHA-512: http://jira.codehaus.org/browse/MERCURY-128. I think we need to generate both sha1 and sha512 in parallel so that older tools can still see a sha1. Having something is better than nothing (or something they think is wrong) Thanks, Oleg Robert Burrell Donkin wrote: On Wed, May 6, 2009 at 7:27 AM, Brett Porter br...@apache.org wrote: For artifact checksums? They are not a security measure, so I don't think increasing their length is of benefit. Having read the same mail I'm guessing you did, it made me reflect and we probably should have kept using md5 for efficiency TBH. i'm talking about http://www.debian-administration.org/users/dkg/weblog/48 etc not really anything to panic about but going to need to transition away from the current public key infrastructure over the next year or so - robert - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: SHA
Brian Fox wrote: Oleg Gusakov wrote: fyi: - maven password encryption uses SHA-256 and switching to SHA-512 could be done using optional encrypted string attributes to ensure decryption of the existing passwords. SHA-256 is already SHA2 family and has not been cracked yet, so we can wait. Main question was availability of SHA-512 in all targeted JVMs - Mercury signature generation uses SHA-1, I will explore switching it to SHA-512: http://jira.codehaus.org/browse/MERCURY-128. I think we need to generate both sha1 and sha512 in parallel so that older tools can still see a sha1. Having something is better than nothing (or something they think is wrong) Makes sense. Actually - I was thinking about PGP signature (already fixed), and forgot about SHA generation. Added SHA512Verifier with default extension SHA512 Thanks, Oleg Thanks, Oleg Robert Burrell Donkin wrote: On Wed, May 6, 2009 at 7:27 AM, Brett Porter br...@apache.org wrote: For artifact checksums? They are not a security measure, so I don't think increasing their length is of benefit. Having read the same mail I'm guessing you did, it made me reflect and we probably should have kept using md5 for efficiency TBH. i'm talking about http://www.debian-administration.org/users/dkg/weblog/48 etc not really anything to panic about but going to need to transition away from the current public key infrastructure over the next year or so - robert - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
SHA
just a heads up that maven may need to switch from SHA1 to SHA512 (or higher). not sure how difficult that will be. - robert - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: SHA
For artifact checksums? They are not a security measure, so I don't think increasing their length is of benefit. Having read the same mail I'm guessing you did, it made me reflect and we probably should have kept using md5 for efficiency TBH. Cheers, Brett On 06/05/2009, at 4:11 PM, Robert Burrell Donkin wrote: just a heads up that maven may need to switch from SHA1 to SHA512 (or higher). not sure how difficult that will be. - robert - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: SHA
On Wed, May 6, 2009 at 7:27 AM, Brett Porter br...@apache.org wrote: For artifact checksums? They are not a security measure, so I don't think increasing their length is of benefit. Having read the same mail I'm guessing you did, it made me reflect and we probably should have kept using md5 for efficiency TBH. i'm talking about http://www.debian-administration.org/users/dkg/weblog/48 etc not really anything to panic about but going to need to transition away from the current public key infrastructure over the next year or so - robert - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: SHA
fyi: - maven password encryption uses SHA-256 and switching to SHA-512 could be done using optional encrypted string attributes to ensure decryption of the existing passwords. SHA-256 is already SHA2 family and has not been cracked yet, so we can wait. Main question was availability of SHA-512 in all targeted JVMs - Mercury signature generation uses SHA-1, I will explore switching it to SHA-512: http://jira.codehaus.org/browse/MERCURY-128. Thanks, Oleg Robert Burrell Donkin wrote: On Wed, May 6, 2009 at 7:27 AM, Brett Porter br...@apache.org wrote: For artifact checksums? They are not a security measure, so I don't think increasing their length is of benefit. Having read the same mail I'm guessing you did, it made me reflect and we probably should have kept using md5 for efficiency TBH. i'm talking about http://www.debian-administration.org/users/dkg/weblog/48 etc not really anything to panic about but going to need to transition away from the current public key infrastructure over the next year or so - robert - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org