Invalid Signatures and Checksums

[nipafx]

Hi Andres! I finally (finally!) got around to configuring JReleaser for a project, but I couldn't get it to work, yet: I get errors that all signatures and all SHA-256/512 checksums are invalid.

Signatures

Before realizing that this is a chance to try JReleaser, I configured the Maven Signing and Sonatype Nexus Staging Plugins and that worked, i.e. the repository could be successfully closed. This is what a signature for the main JAR looks like:

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEE0tMM7mD7Y+9MMdEcjxi5XBeHQAwFAmYAV7oACgkQjxi5XBeH
QAyxtAf/SqlS+yIKQQa4AkEd//loofN7PpZVcDHvKTkPSUGYbO7QRDxMoYZTikZr
L11Alh5XlZ9GzmmUL3YohWV3Rwl6WZA4enGIdEMM+DVM3JCOW2TYDYRwxRqlGuyi
dnFdueI1QtImXXs3xarjM4ZQeGrUOvW/RqKsIIDeDhq/2D41KMVIG88VpLfNZNsx
VSGBdfnUwjCqyszi8i72v5mB/1M90C5FxsdcA0viAqYuAcEkCyxpCWw4iMORtqk9
xKiMRhcqIsVH0cQEcMvctcZAXrkAcSVal+R3e+oVoYGxxtDBo+WGt4FQHrjJH4YP
B3d/n4ayRpzSeA5xB7khXr4PANmYdQ==
=zUVj
-----END PGP SIGNATURE-----

This is what the signature for the same file looks like when created by JReleaser:

-----BEGIN PGP MESSAGE-----
Version: BCPG v1.77.00

owCJARwEAAECAAYFAmYAU1UACgkQjxi5XBeHQAzBoAf/egx/sopFUuEZDZ0ydAt1
g/ibjwOFPwyijkdJby2RjsZJKiL0ArnHIIYD5A8taBTD/zJSRxvx8pqtCvHNCkxE
d7Eh1kdRUXXis/aW85OUHhXvBjLarDhpfIIy53rIQaK+E00pQobk1QJhkOdc6Thb
wEFRQU7+s0H3Ov4NP3FprgEcRcXHpXnTcbM93y0zHhR+cKYRbGInunCfIoK25OrI
wTo9wnERTni5aH07T7KVUHM7Md+Y7eZiSQmj/zuheJHZFLWAebhhIlDbGcMdAmcw
Cr9NGI4cCy9ezLMQLZ2ArSEtcFcMnRHbJmC8TpRWeYoNY1E79UVIHOB9ENZl6nPK
xQ==
=EV9X
-----END PGP MESSAGE-----

Checksums

I found #1008 and marked that down as a probable solution (haven't tried it yet).

[aalmiray]

Hi @nipafx, I cloned the repo you mentioned and applied the suggested updates to pom.xml as described at https://jreleaser.org/guide/latest/examples/maven/maven-central.html#_maven. Then ran a deploy with -Djreleaser.dry.run=true. I've got a warning with my setup because obviously I have no access to the dev.nipafx.args staging profile at Maven Central. Yet, checksums and signatures were produced as expected. Here's a snippet from the trace log

[DEBUG]     [nexus2] Verifying /private/tmp/record-args/target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.pom
[INFO]      [nexus2] Checking if key CCC55C5167419ADB has been published
[DEBUG]     [nexus2]  + https://keys.openpgp.org
[DEBUG]     [nexus2]  + https://keyserver.ubuntu.com
[DEBUG]     [nexus2]  + https://pgp.mit.edu
[INFO]      [nexus2] Key CCC55C5167419ADB was found as published
[DEBUG]     [sign] signature does not exist: target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar.asc
[INFO]      [sign] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar
[DEBUG]     [verify] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar.asc
[DEBUG]     [sign] signature does not exist: target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0-sources.jar.asc
[INFO]      [sign] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0-sources.jar
[DEBUG]     [verify] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0-sources.jar.asc
[DEBUG]     [sign] signature does not exist: target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.pom.asc
[INFO]      [sign] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.pom
[DEBUG]     [verify] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.pom.asc
[DEBUG]     [sign] signature does not exist: target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0-javadoc.jar.asc
[INFO]      [sign] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0-javadoc.jar
[DEBUG]     [verify] target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0-javadoc.jar.asc
[DEBUG]     [nexus2] calculating sha256 checksum for record-args-0.5.0.jar
[DEBUG]     [nexus2] calculating sha512 checksum for record-args-0.5.0.jar
[DEBUG]     [nexus2] calculating sha256 checksum for record-args-0.5.0-sources.jar
[DEBUG]     [nexus2] calculating sha512 checksum for record-args-0.5.0-sources.jar
[DEBUG]     [nexus2] calculating sha256 checksum for record-args-0.5.0.pom
[DEBUG]     [nexus2] calculating sha512 checksum for record-args-0.5.0.pom
[DEBUG]     [nexus2] calculating sha256 checksum for record-args-0.5.0-javadoc.jar
[DEBUG]     [nexus2] calculating sha512 checksum for record-args-0.5.0-javadoc.jar

Generated signature for the main JAR

$ cat target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar.asc
-----BEGIN PGP MESSAGE-----
Version: BCPG v1.77.00

owCJAhwEAAECAAYFAmYAW0EACgkQzMVcUWdBmtvp6Q/8DrI15gg9W0sJn6cU0RsN
gpQcDSdvEGXUVLCer2HsOT7ChAUUTnt4Ofp+NYovEfRR6bkHgQV2vPM5DETSVzFU
nkFPGJQL1aPWyaVzRs+y63VpgYXv0t0uoQuxif6z15fiQX5PL3iPtr8ENAqe0b2U
Ca2YxwudPn5najWGNUujNI/BDIuLZTxFyOgIvfJrQ32Z9kXjloGLotd8QyUubRKN
K5QLMxZ42iKwOy6I875+QDAKLBCk955fYb4RJ9ZCGHd4t3BI6nKAiRnBb6N/K70n
bO94cm7Sfb/MXzNAN8zhm+mjAH1+HO2BWMkvwKVL8NhFrhYR27BT2sdjvoz4Ka73
UocQQalBjgjMsU0UEPhRma9j1maPlAJMYLKCnS64m02bqUCMXVmObn6eglqaG9u8
Hygc3RcYzzVZ8yP80ZQ27nIKmXlG0xFiVi5zc3EfYtxFbwiPfP/VpFY7jl/cyYnY
x4YqISclg7GQ6YVSDXQFnsiyffC0EXnnb4axw9DrJu5HYNdDclA57eX3DCwGg1Dy
OLuAtSLNbY/tzVUtznsY0JlmHjqcog5FXuYLeEKuYCQBvKx0bMqFIYyNKhkjE83x
ro6mTvYViaJXCykDa3/4vZ+5gEOwvHnoiqdKyFBqWIqCL8yPjolvT2hnNZcHVwpu
CUi8qcnKnS7He0uYA4YS0Cs=
=1tSn
-----END PGP MESSAGE-----

Checksums for the main JAR

$ cat target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar.sha256 
5300860d5d96f2d8c286532d02444091fd1b3af154078e1bf1b3a4c1ea395720

$ shasum -a 256 target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar
5300860d5d96f2d8c286532d02444091fd1b3af154078e1bf1b3a4c1ea395720  target/staging-deploy/dev/nipafx/args/record-args/0.5.0/record-args-0.5.0.jar

Here's a diff/patch with the changes I applied. Please give them a try with your own settings
jreleaser.patch

The commands I used for testing the deployment:

$ mvn -Ppublication
$ mvn jreleaser_deploy -Djreleaser.dry.run=true

[aalmiray]

I've set all my secrets with ~/.jreleaser/config.toml file (see https://jreleaser.org/guide/latest/reference/environment.html for options). You may use a similar file or set secrets using environment variables. The mvn jreleaser:env (https://jreleaser.org/guide/latest/tools/jreleaser-maven.html#_jreleaserenv) command will display all active secrets.

Example:

$ gm jreleaser:env
Using maven at '/Users/aalmiray/.sdkman/candidates/maven/current/bin/mvn' to run buildFile '/tmp/record-args/pom.xml':
[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------< dev.nipafx.args:record-args >---------------------
[INFO] Building app 0.5.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- jreleaser:1.11.0:env (default-cli) @ record-args ---
[INFO] JReleaser Maven Plugin 1.11.0. Consider becoming a sponsor at https://opencollective.com/jreleaser
[INFO] Loading variables from /Users/aalmiray/.jreleaser/config.toml
[INFO] The following variables are defined in config.toml:
[INFO]   JRELEASER_GITHUB_TOKEN
[INFO]   JRELEASER_GPG_PASSPHRASE
[INFO]   JRELEASER_GPG_PUBLIC_KEY
[INFO]   JRELEASER_GPG_SECRET_KEY
[INFO]   JRELEASER_NEXUS2_MAVEN_CENTRAL_PASSWORD
[INFO]   JRELEASER_NEXUS2_MAVEN_CENTRAL_USERNAME
[INFO]   JRELEASER_SDKMAN_CONSUMER_KEY
[INFO]   JRELEASER_SDKMAN_CONSUMER_TOKEN
[INFO]   JRELEASER_TWITTER_ACCESS_TOKEN
[INFO]   JRELEASER_TWITTER_ACCESS_TOKEN_SECRET
[INFO]   JRELEASER_TWITTER_BEARER_TOKEN
[INFO]   JRELEASER_TWITTER_CONSUMER_KEY
[INFO]   JRELEASER_TWITTER_CONSUMER_SECRET
[INFO] The following variables are defined in the current environment:
[INFO]   JRELEASER_HOME
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.278 s
[INFO] Finished at: 2024-03-24T18:06:03+01:00
[INFO] ------------------------------------------------------------------------

[nipafx]

That worked. Thanks! Weird, though, it looks pretty much like what I had. 🤔 I'll work backward from your solution to mine and see whether it breaks somewhere and report back in case I find a culprit.

[aalmiray]

Great! It would be really good to see what's different and document any additional caveats in the guide.

[nipafx]

I found the issue and it is, wait for it, listening to the people who tell me not to clean on every build. 🧐 Turns out, when the local staging directory exists and contains the files for upload from the previous build then:

• the default Maven plugins will create new files (presumably with minor differences because Maven's builds are not reproducible out of the box)
• the signature (and presumably checksum files, although I didn't check that) keep the same content, although they do have newer time stamps, which is very odd

Accordingly, files and their signatures don't line up and Nexus complains. From what I've seen, this behavior should be easy to reproduce with any project (in fact, can you try it with your local clone of my repo)?

[aalmiray]

Filed #1625 Fixed and scheduled for v1.12.0.