maven-metadata.xml SHA256 and SHA512 checksums prevent publishing to Nexus

[120011676]

Expected Behavior

publish Maven Repository success

Current Behavior

···

failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/120011676/vine/maven-metadata.xml.sha512'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/120011676/vine/maven-metadata.xml.sha256'
···

Context

publish Maven Repository

Steps to Reproduce

https://github.com/120011676/vine

Your Environment

Build scan URL:https://github.com/120011676/vine

[melix]

Does Gradle fail the upload task or is it emitted as a warning? Normally if the repository doesn't support sha512 we continue.

[120011676]

@melix Maven central warehouse used,5.6.3 did not appear, how can I succeed?

[melix]

Is it just me or you are using a GitHub package registry here? There's a known issue with GitHub. We're working with them so that they fix it.

[melix]

I'm going to ping Sonatype and link to this issue, there may be something wrong with the validation of maven-metadata.xml.

For reference, see comments in https://issues.sonatype.org/browse/MVNCENTRAL-5276

[120011676]

@melix Fabulous,Yes, I have a comment

[vlsi]

Does that mean Gradle 6.0.1 could have a feature-flag to avoid publishing sha256 / sha512 for artifacts and metadata?

[melix]

Sonatype is planning a fix. If it's too late to ship, we'll have to consider a flag, but we'd like to avoid this situation.

[vlsi]

but we'd like to avoid this situation.

Exactly

If it's too late to ship, we'll have to consider a flag

A bit of a story is "Nexus vs Gradle 6" issue did hit us when trying to release Apache JMeter yesterday.

Apache Software Foundation is still using Nexus 2.x, and it would take time to make ASF sha512-compatible. It would require either Nexus 2->3 upgrade, or back-porting of the fix or migrate to Artifactory or whatever.

I beg your pardon, but I'm inclined to request a feature flag (even though I recognize the year is 2019) as the upgrade of ASF infra might take a while (there was an attempt in 2016-2017, and it was just closed). In the meantime, I've asked re ASF Nexus upgrade

[melix]

Ok so let's prioritize a magic flag for 6.0.1.

[120011676]

Like, encourage upgrading

[melix]

Before I merge the workaround, I'd like to double check that the Gradle build indeed did not fail, and that's only in Nexus that you're seeing the problem.

[120011676]

@melix One other bug found,I don't know
#11371

[jjohannes]

@120011676 we have included a flag for a 6.0.1 patch release. Here is a nightly containing the change:
https://services.gradle.org/distributions-snapshots/gradle-6.0.1-20191115004001+0000-bin.zip
It would be very much appreciated if you can acknowledge that it works for you.

To disable publication of both SHA-256 and SHA-512 checksums, either:

• add -Dorg.gradle.internal.publish.checksums.insecure to the CLI or
• add org.gradle.internal.publish.checksums.insecure=true to your
  gradle.properties file

[vlsi]

@jjohannes , are you sure that snapshot includes the fix?

I've tried gradle-6.0.1-20191115004001+0000-all.zip , and it still publishes sha256 and sha512 files.
Then I opened /.gradle/wrapper/dists/gradle-6.0.1-20191115004001+0000-all/8vxyfuyndjkwgc528crr43wp/gradle-6.0.1-20191115004001+0000, and I don't see the fix there:

$ grep publishChecksums -A 8 ExternalResourceResolver.java
        publishChecksums(destination, src);
    }

    private void publishChecksums(ExternalResourceName destination, File content) {
        publishChecksum(destination, content, "sha1", 40);

        publishPossiblyUnsupportedChecksum(destination, content, "sha-256", 64);
        publishPossiblyUnsupportedChecksum(destination, content, "sha-512", 128);
    }

    private void publishPossiblyUnsupportedChecksum(ExternalResourceName destination, File content, String algorithm, int length) {
        try {

Is it what you would expect?

Just in case, I've tried to specify all the possible options at the same time (-D, -P, and the option in gradle.properties), and Gradle still publishes sha256 and sha512.

If that matters, I tested both -all and -bin snapshots, and they both publish sha256/512 :-/

[ljacomet]

Sorry, two things at play here:

• First a copy/paste mistake in the nightly version. Please use 6.0.1-20191115103811+0000 as the version, or https\://services.gradle.org/distributions-snapshots/gradle-6.0.1-20191115103811+0000-bin.zip for the gradle-wrapper.properties
• The instructions need to be corrected:
  • Adding -Dorg.gradle.internal.publish.checksums.insecure=true on the CLI
  • Adding systemProp.org.gradle.internal.publish.checksums.insecure=true to gradle.properties

[vlsi]

Thanks for the clarification.

I've tried 6.0.1-20191115103811+0000, and I confirm systemProp.org.gradle.internal.publish.checksums.insecure=true works: it does not produce sha256/512 for artifacts / maven-metadata.xml / module files.

PS I verify with a Nexus stub ( https://github.com/vlsi/asflike-release-environment ), so the mileage may vary.

[phreakadelle]

Thanks for providing the switch.

We were forced to use the -Dorg.gradle.internal.publish.checksums.insecure=true parameter as we are using Gradle 6.5.1 and Nexus 2.14.15-01

[gavenkoa]

I hit the problem with Nexus OSS 3.28.1 and systemProp.org.gradle.internal.publish.checksums.insecure=true in gradle.properties is a solution.

According to https://issues.sonatype.org/browse/NEXUS-21802 fix is in v2.14.18 but not in v3.x:

MSDE Team yes, the support was added to NXRM2 but hasn't yet been done in NXRM3, NEXUS-23603 is the ticket in question, please do add a vote on there

3.x still has the issue, see: https://issues.sonatype.org/browse/NEXUS-23603

[alexeyOnGitHub]

does this "-Dorg.gradle.internal.publish.checksums.insecure=true" flag turn off all sha publishing or just for 256 and 512?