New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
maven-metadata.xml SHA256 and SHA512 checksums prevent publishing to Nexus #11308
Comments
Does Gradle fail the upload task or is it emitted as a warning? Normally if the repository doesn't support sha512 we continue. |
@melix Maven central warehouse used,5.6.3 did not appear, how can I succeed? |
Is it just me or you are using a GitHub package registry here? There's a known issue with GitHub. We're working with them so that they fix it. |
I'm going to ping Sonatype and link to this issue, there may be something wrong with the validation of For reference, see comments in https://issues.sonatype.org/browse/MVNCENTRAL-5276 |
@melix Fabulous,Yes, I have a comment |
Does that mean Gradle 6.0.1 could have a feature-flag to avoid publishing sha256 / sha512 for artifacts and metadata? |
Sonatype is planning a fix. If it's too late to ship, we'll have to consider a flag, but we'd like to avoid this situation. |
Exactly
A bit of a story is "Nexus vs Gradle 6" issue did hit us when trying to release Apache JMeter yesterday. Apache Software Foundation is still using Nexus 2.x, and it would take time to make ASF sha512-compatible. It would require either Nexus 2->3 upgrade, or back-porting of the fix or migrate to Artifactory or whatever. I beg your pardon, but I'm inclined to request a feature flag (even though I recognize the year is 2019) as the upgrade of ASF infra might take a while (there was an attempt in 2016-2017, and it was just closed). In the meantime, I've asked re ASF Nexus upgrade |
Ok so let's prioritize a magic flag for 6.0.1. |
Like, encourage upgrading |
This commit adds an internal system property which can be used as a workaround whenever the remote repository doesn't accept SHA-256 and SHA-512 checksums. Gradle is fail-safe when it cannot upload those files, however, in some situations, the remote repository may not allow promoting the release if it finds such files. This is the case in older repositories, or currently with Maven Central. To disable publication of both SHA-256 and SHA-512 checksums, either: - add `-Dorg.gradle.internal.publish.checksums.insecure` to the CLI or - add `org.gradle.internal.publish.checksums.insecure=true` to your `gradle.properties` file Fixes #11308
Before I merge the workaround, I'd like to double check that the Gradle build indeed did not fail, and that's only in Nexus that you're seeing the problem. |
@120011676 we have included a flag for a To disable publication of both SHA-256 and SHA-512 checksums, either:
|
@jjohannes , are you sure that snapshot includes the fix? I've tried gradle-6.0.1-20191115004001+0000-all.zip , and it still publishes sha256 and sha512 files.
Is it what you would expect? Just in case, I've tried to specify all the possible options at the same time ( If that matters, I tested both |
Sorry, two things at play here:
|
Thanks for the clarification. I've tried PS I verify with a Nexus stub ( https://github.com/vlsi/asflike-release-environment ), so the mileage may vary. |
Also document their creation in the publishing chapter. Issue #11308
Work around https://issues.sonatype.org/browse/OSSRH-56462 via solution in gradle/gradle#11308
This adds a flag that enables a workaround for OSSRH publishing. Affects: https://issues.sonatype.org/browse/OSSRH-56352 Affects: gradle/gradle#11308 (comment)
This adds a check to the start of the build script to verify that the build is being performed with the org.gradle.internal.publish.checksums.insecure property set. This ensures that the project can be deployed to Central without checksum issues. References: gradle/gradle#11308 (comment)
Check gradle/gradle#11308 for details
this is what broke our releases in 6.4 and this works around it for now See gradle/gradle#11308
* Suppress sha256 for metadata this is what broke our releases in 6.4 and this works around it for now See gradle/gradle#11308 * Bump AGP version on CI to 3.6.3 * Kotlin 1.3.72 * Zipflinger 3.6.3 * Update more misc deps * More AGP * Shade in newer zipfligner version Resolves #38 * Update sample okio libraries * Clarify comment and exlude guava too
Errors visible in https://oss.sonatype.org/#stagingRepositories under Activity > release: Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha512' Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha256' gradle/gradle#11308
Errors visible in https://oss.sonatype.org/#stagingRepositories under Activity > release: Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha512' Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha256' gradle/gradle#11308
Gradle publishes sha256/512 checksum which are incompatible with the current version of Nexus we are using. See also: * gradle/gradle#11308 * https://issues.sonatype.org/browse/NEXUS-21802 * https://issues.sonatype.org/browse/NEXUS-23603
Thanks for providing the switch. We were forced to use the |
I hit the problem with Nexus OSS 3.28.1 and According to https://issues.sonatype.org/browse/NEXUS-21802 fix is in v2.14.18 but not in v3.x:
3.x still has the issue, see: https://issues.sonatype.org/browse/NEXUS-23603 |
does this "-Dorg.gradle.internal.publish.checksums.insecure=true" flag turn off all sha publishing or just for 256 and 512? |
There is a bug with Gradle 6 and Nexus 2 currently that we can fix by setting a systemProp. See here for more info: gradle/gradle#11308
Expected Behavior
publish Maven Repository success
Current Behavior
···
Context
publish Maven Repository
Steps to Reproduce
https://github.com/120011676/vine
Your Environment
Build scan URL:https://github.com/120011676/vine
The text was updated successfully, but these errors were encountered: