sign .asc and sha512 with maven-gpg-plugin

[j143]

Objective: Related (#53)

The names of individual signature and checksum files must be formed by adding to the name of the artifact the appropriate suffix:

• .asc for a (ASCII-armored) PGP signature
• .sha256 for an SHA-256 checksum
• .sha512 for an SHA-512 checksum

as per https://infra.apache.org/release-distribution.html#sigs-and-sums

at the moment the I am able to sign with sha1, md5 with .asc as in #99 (comment)

Solution:

sha512 files are produced by maven resolver, this option is available with maven 3.8.1. Install latest maven as shown here #115

---

Related discussion in mail list (Apache Maven):
01st Feb, 2021
https://www.mail-archive.com/users@maven.apache.org/msg142898.html

This one won't work.

  <properties>

<aether.checksums.algorithms>SHA-512,SHA-256,SHA-1,MD5</aether.checksums.algorithms>
  </properties>

and

  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-deploy-plugin</artifactId>
    <version>3.0.0-M1</version>
    <dependencies>
      <dependency>
        <groupId>org.apache.maven.shared</groupId>
        <artifactId>maven-artifact-transfer</artifactId>
        <version>0.13.1</version>
      </dependency>
    </dependencies>
  </plugin>

https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117

26th May 2021

https://www.mail-archive.com/dev@maven.apache.org/msg124411.html

The maven-gpg-plugin is only responsible for creating the "asc" files which
contain the PGP signature.

The file hashes are created by maven-resolver, which supports SHA-512 since
version 1.5.0 ( https://issues.apache.org/jira/browse/MRESOLVER-56 ).
If I remember correctly maven-resolver 1.5+ is included since Maven 3.8.1.
So you would have to update your Maven to 3.8.1 and -Daether.checksums.algorithms=SHA-512 should work then.

[j143]

https://maven.apache.org/resolver/configuration.html

mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5

algorithm options available:

Algorithm	description
SHA-1SHA-256SHA-384SHA-512	Hash algorithms defined in the FIPS PUB 180-2.SHA-256 is a 256-bit hash function intended to provide 128 bits of security against collision attacks, while SHA-512 is a 512-bit hash function intended to provide 256 bits of security. A 384-bit hash may be obtained by truncating the SHA-512 output.

https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest

[j143]

gpg arguments:

https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArguments

Sets the arguments to be passed to gpg. Example:

<gpgArguments>
  <arg>--no-random-seed-file</arg>
  <arg>--no-permission-warning</arg>
</gpgArguments>

Type: java.util.List
Since: 1.5
Required: No

[j143]

Build helper plugin:
https://www.mojohaus.org/build-helper-maven-plugin/index.html

usage, to add more sources to the project

<project>
  ...
  <build>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>build-helper-maven-plugin</artifactId>
        <version>3.2.0</version>
        <executions>
          <execution>
            <id>add-source</id>
            <phase>generate-sources</phase>
            <goals>
              <goal>add-source</goal>
            </goals>
            <configuration>
              <sources>
                <source>some directory</source>
                ...
              </sources>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

[j143]

gradle/gradle#11308

[j143]

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy)
 on project systemds: Failed to deploy artifacts: Could not transfer artifact org.apache.systemds:systemds:jar:2.1.0 
from/to github (https://maven.pkg.github.com/j143/systemds): Failed to transfer file: 
https://maven.pkg.github.com/j143/systemds/org/apache/systemds/systemds/2.1.0/systemds-2.1.0.jar.
+ Return code is: 409, ReasonPhrase: Conflict. 

[j143]

mvn -P'distribution,rat' deploy -DskiptTests \ 
  -DaltDeploymentRepository=github::default::https://maven.pkg.github.com/j143/systemds \
  -Daether.checksums.algorithms=SHA-512

[j143]

A plugin for checksums - https://checksum-maven-plugin.nicoulaj.net/examples/generating-checksum-summary-files.html

[j143]

Is there any way this ( https://www.mojohaus.org/build-helper-maven-plugin/attach-artifact-mojo.html ) could solve the problem?
as mentioned here https://www.mail-archive.com/users@maven.apache.org/msg142892.html

Description:

Attach additional artifacts to be installed and deployed.

Seems off-topic.

[j143]

This is asked on mailing list, waiting for the response.

[j143]

Maven resolver:

[j143]

https://infra.apache.org/openpgp.html