maven-gpg-plugin SHA512

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

maven-gpg-plugin SHA512

Petr Ivanov
Hi all!


Struggling to configure maven-gpg-plugin to generate sha512 has sum to deployed artifacts alongside with asc.
Current config does not work:

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>3.0.0</version>
                <configuration>
                    <gpgArguments>
                        <arg>--no-permission-warning</arg>
                        <arg>--digest-algo=SHA512</arg>
                    </gpgArguments>
                </configuration>
                <executions>
                    <execution>
                        <id>sign-artifacts</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>


Documentation is predictably empty.

The final goal — sha512 hash sums for deployed artifacts with deploy goal.


Does anyone know how can this be achieved?
Thanks in advance!
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Oliver B. Fischer-2
I am sure that there is a better solution, but I don't know it yet ;-)

Have a look at
https://www.mojohaus.org/build-helper-maven-plugin/attach-artifact-mojo.html

Oliver

Am 22.01.21 um 16:11 schrieb Petr Ivanov:

> Hi all!
>
>
> Struggling to configure maven-gpg-plugin to generate sha512 has sum to deployed artifacts alongside with asc.
> Current config does not work:
>
>              <plugin>
>                  <groupId>org.apache.maven.plugins</groupId>
>                  <artifactId>maven-gpg-plugin</artifactId>
>                  <version>3.0.0</version>
>                  <configuration>
>                      <gpgArguments>
>                          <arg>--no-permission-warning</arg>
>                          <arg>--digest-algo=SHA512</arg>
>                      </gpgArguments>
>                  </configuration>
>                  <executions>
>                      <execution>
>                          <id>sign-artifacts</id>
>                          <phase>verify</phase>
>                          <goals>
>                              <goal>sign</goal>
>                          </goals>
>                      </execution>
>                  </executions>
>              </plugin>
>
>
> Documentation is predictably empty.
>
> The final goal — sha512 hash sums for deployed artifacts with deploy goal.
>
>
> Does anyone know how can this be achieved?
> Thanks in advance!
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
--
N Oliver B. Fischer
A Schönhauser Allee 64, 10437 Berlin, Deutschland/Germany
P +49 30 44793251
M +49 178 7903538
E [hidden email]
S oliver.b.fischer
J [hidden email]
X http://xing.to/obf


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Petr Ivanov
Nice plugin, thanks!


However, currently I am under impressions, that gpg plugin is not what am I looking for, 'cause it seems the initial md5 and sha1 sums are generated by maven-install-plugin which has no options whatsoever...
Also, cheksum-maven-plugin seems to be better suited for my task.


I will keep posted if it will be success :)


> On 24 Jan 2021, at 17:19, Oliver B. Fischer <[hidden email]> wrote:
>
> I am sure that there is a better solution, but I don't know it yet ;-)
>
> Have a look at https://www.mojohaus.org/build-helper-maven-plugin/attach-artifact-mojo.html
>
> Oliver
>
> Am 22.01.21 um 16:11 schrieb Petr Ivanov:
>> Hi all!
>>
>>
>> Struggling to configure maven-gpg-plugin to generate sha512 has sum to deployed artifacts alongside with asc.
>> Current config does not work:
>>
>>             <plugin>
>>                 <groupId>org.apache.maven.plugins</groupId>
>>                 <artifactId>maven-gpg-plugin</artifactId>
>>                 <version>3.0.0</version>
>>                 <configuration>
>>                     <gpgArguments>
>>                         <arg>--no-permission-warning</arg>
>>                         <arg>--digest-algo=SHA512</arg>
>>                     </gpgArguments>
>>                 </configuration>
>>                 <executions>
>>                     <execution>
>>                         <id>sign-artifacts</id>
>>                         <phase>verify</phase>
>>                         <goals>
>>                             <goal>sign</goal>
>>                         </goals>
>>                     </execution>
>>                 </executions>
>>             </plugin>
>>
>>
>> Documentation is predictably empty.
>>
>> The final goal — sha512 hash sums for deployed artifacts with deploy goal.
>>
>>
>> Does anyone know how can this be achieved?
>> Thanks in advance!
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
> --
> N Oliver B. Fischer
> A Schönhauser Allee 64, 10437 Berlin, Deutschland/Germany
> P +49 30 44793251
> M +49 178 7903538
> E [hidden email]
> S oliver.b.fischer
> J [hidden email]
> X http://xing.to/obf
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Petr Ivanov
Well, it seem that maven currently DOES NOT support sha512 sums in any way.

maven-checksum-plugin has been able to generate sha512 sums for jars, but:
1) it misses poms
2) maven install plugin still generates md5 and sha1 hashsums for all artifacts, including *.sha512 (which later gets uploaded with deploy task).

Thus — it seems currently impossible to comply with [1]...



[1] https://infra.apache.org/release-signing.html#basic-facts


> On 25 Jan 2021, at 11:34, Petr Ivanov <[hidden email]> wrote:
>
> Nice plugin, thanks!
>
>
> However, currently I am under impressions, that gpg plugin is not what am I looking for, 'cause it seems the initial md5 and sha1 sums are generated by maven-install-plugin which has no options whatsoever...
> Also, cheksum-maven-plugin seems to be better suited for my task.
>
>
> I will keep posted if it will be success :)
>
>
>> On 24 Jan 2021, at 17:19, Oliver B. Fischer <[hidden email]> wrote:
>>
>> I am sure that there is a better solution, but I don't know it yet ;-)
>>
>> Have a look at https://www.mojohaus.org/build-helper-maven-plugin/attach-artifact-mojo.html
>>
>> Oliver
>>
>> Am 22.01.21 um 16:11 schrieb Petr Ivanov:
>>> Hi all!
>>>
>>>
>>> Struggling to configure maven-gpg-plugin to generate sha512 has sum to deployed artifacts alongside with asc.
>>> Current config does not work:
>>>
>>>            <plugin>
>>>                <groupId>org.apache.maven.plugins</groupId>
>>>                <artifactId>maven-gpg-plugin</artifactId>
>>>                <version>3.0.0</version>
>>>                <configuration>
>>>                    <gpgArguments>
>>>                        <arg>--no-permission-warning</arg>
>>>                        <arg>--digest-algo=SHA512</arg>
>>>                    </gpgArguments>
>>>                </configuration>
>>>                <executions>
>>>                    <execution>
>>>                        <id>sign-artifacts</id>
>>>                        <phase>verify</phase>
>>>                        <goals>
>>>                            <goal>sign</goal>
>>>                        </goals>
>>>                    </execution>
>>>                </executions>
>>>            </plugin>
>>>
>>>
>>> Documentation is predictably empty.
>>>
>>> The final goal — sha512 hash sums for deployed artifacts with deploy goal.
>>>
>>>
>>> Does anyone know how can this be achieved?
>>> Thanks in advance!
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>> --
>> N Oliver B. Fischer
>> A Schönhauser Allee 64, 10437 Berlin, Deutschland/Germany
>> P +49 30 44793251
>> M +49 178 7903538
>> E [hidden email]
>> S oliver.b.fischer
>> J [hidden email]
>> X http://xing.to/obf
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Michael Osipov-2
In reply to this post by Petr Ivanov
Don't waste your time. Read [1]: aether.checksums.algorithms

[1] https://maven.apache.org/resolver/configuration.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Andreas Sewe-3
Michael Osipov wrote:
> Don't waste your time. Read [1]: aether.checksums.algorithms
>
> [1] https://maven.apache.org/resolver/configuration.html

Thank you for the pointer. Just found this post when searching for a way
to create .sha256 and .sha512 files during a "mvn deploy" but can't get
it to work:

  mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5

The above still only created .sha1 and .md5 files in my staging
repository. What am I doing wrong?

Best wishes,

Andreas Sewe


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Andreas Sewe-3
Michael Osipov wrote:

>> Michael Osipov wrote:
>>> Don't waste your time. Read [1]: aether.checksums.algorithms
>>>
>>> [1] https://maven.apache.org/resolver/configuration.html
>>
>> Thank you for the pointer. Just found this post when searching for a way
>> to create .sha256 and .sha512 files during a "mvn deploy" but can't get
>> it to work:
>>
>>   mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5
>>
>> The above still only created .sha1 and .md5 files in my staging
>> repository. What am I doing wrong?
>
> You need to update the bundled Maven Resolver version and it will work.
> Mark Thomas is already using it with Maven Resolver Ant Tasks to push
> Tomcat releases.
(Replying to the Maven Users List as well, in case someone else is
searching for the answer)

Thanks Michael. That works like a charm.

Best wishes,

Andreas Sewe


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Andreas Sewe-3
Andreas Sewe wrote:

> Michael Osipov wrote:
>>> Michael Osipov wrote:
>>>> Don't waste your time. Read [1]: aether.checksums.algorithms
>>>>
>>>> [1] https://maven.apache.org/resolver/configuration.html
>>>
>>> Thank you for the pointer. Just found this post when searching for a way
>>> to create .sha256 and .sha512 files during a "mvn deploy" but can't get
>>> it to work:
>>>
>>>   mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5
>>>
>>> The above still only created .sha1 and .md5 files in my staging
>>> repository. What am I doing wrong?
>>
>> You need to update the bundled Maven Resolver version and it will work.
>> Mark Thomas is already using it with Maven Resolver Ant Tasks to push
>> Tomcat releases.
>
> Thanks Michael. That works like a charm.
Alas, I spoke too soon. It works on the command line, but I can't make
it an permanent part of my parent POM:

  <properties>

<aether.checksums.algorithms>SHA-512,SHA-256,SHA-1,MD5</aether.checksums.algorithms>
  </properties>

and

  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-deploy-plugin</artifactId>
    <version>3.0.0-M1</version>
    <dependencies>
      <dependency>
        <groupId>org.apache.maven.shared</groupId>
        <artifactId>maven-artifact-transfer</artifactId>
        <version>0.13.1</version>
      </dependency>
    </dependencies>
  </plugin>

Can the Maven Resolver be configured by POM <properties> at all, or are
those read too late to make their way into the RepositorySystemSession [1]?

Best wishes,

Andreas Sewe

[1]
<https://github.com/apache/maven/blob/master/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java#L117>


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Michael Osipov-2
Am 2021-03-11 um 17:25 schrieb Andreas Sewe:

> Andreas Sewe wrote:
>> Michael Osipov wrote:
>>>> Michael Osipov wrote:
>>>>> Don't waste your time. Read [1]: aether.checksums.algorithms
>>>>>
>>>>> [1] https://maven.apache.org/resolver/configuration.html
>>>>
>>>> Thank you for the pointer. Just found this post when searching for a way
>>>> to create .sha256 and .sha512 files during a "mvn deploy" but can't get
>>>> it to work:
>>>>
>>>>    mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5
>>>>
>>>> The above still only created .sha1 and .md5 files in my staging
>>>> repository. What am I doing wrong?
>>>
>>> You need to update the bundled Maven Resolver version and it will work.
>>> Mark Thomas is already using it with Maven Resolver Ant Tasks to push
>>> Tomcat releases.
>>
>> Thanks Michael. That works like a charm.
>
> Alas, I spoke too soon. It works on the command line, but I can't make
> it an permanent part of my parent POM:
>
>    <properties>
>
> <aether.checksums.algorithms>SHA-512,SHA-256,SHA-1,MD5</aether.checksums.algorithms>
>    </properties>

This will not work. I do recommend to use
https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#arguments

Please try and tell...

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Bernd Eckenfels
Other question, why not change the defaults to include at least one less challenged checksum?


--
http://bernd.eckenfels.net
________________________________
Von: Michael Osipov <[hidden email]>
Gesendet: Sunday, March 14, 2021 9:46:55 PM
An: [hidden email] <[hidden email]>
Betreff: Re: maven-gpg-plugin SHA512

Am 2021-03-11 um 17:25 schrieb Andreas Sewe:

> Andreas Sewe wrote:
>> Michael Osipov wrote:
>>>> Michael Osipov wrote:
>>>>> Don't waste your time. Read [1]: aether.checksums.algorithms
>>>>>
>>>>> [1] https://maven.apache.org/resolver/configuration.html
>>>>
>>>> Thank you for the pointer. Just found this post when searching for a way
>>>> to create .sha256 and .sha512 files during a "mvn deploy" but can't get
>>>> it to work:
>>>>
>>>>    mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5
>>>>
>>>> The above still only created .sha1 and .md5 files in my staging
>>>> repository. What am I doing wrong?
>>>
>>> You need to update the bundled Maven Resolver version and it will work.
>>> Mark Thomas is already using it with Maven Resolver Ant Tasks to push
>>> Tomcat releases.
>>
>> Thanks Michael. That works like a charm.
>
> Alas, I spoke too soon. It works on the command line, but I can't make
> it an permanent part of my parent POM:
>
>    <properties>
>
> <aether.checksums.algorithms>SHA-512,SHA-256,SHA-1,MD5</aether.checksums.algorithms>
>    </properties>

This will not work. I do recommend to use
https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#arguments

Please try and tell...

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: maven-gpg-plugin SHA512

Michael Osipov-2
Am 2021-03-14 um 22:19 schrieb Bernd Eckenfels:
> Other question, why not change the defaults to include at least one less challenged checksum?

Please rephrase your question. I don't understand it. May MRESOLVER-138
answers your question.

> ________________________________
> Von: Michael Osipov <[hidden email]>
> Gesendet: Sunday, March 14, 2021 9:46:55 PM
> An: [hidden email] <[hidden email]>
> Betreff: Re: maven-gpg-plugin SHA512
>
> Am 2021-03-11 um 17:25 schrieb Andreas Sewe:
>> Andreas Sewe wrote:
>>> Michael Osipov wrote:
>>>>> Michael Osipov wrote:
>>>>>> Don't waste your time. Read [1]: aether.checksums.algorithms
>>>>>>
>>>>>> [1] https://maven.apache.org/resolver/configuration.html
>>>>>
>>>>> Thank you for the pointer. Just found this post when searching for a way
>>>>> to create .sha256 and .sha512 files during a "mvn deploy" but can't get
>>>>> it to work:
>>>>>
>>>>>     mvn deploy -Daether.checksums.algorithms=SHA-512,SHA-256,SHA1,MD5
>>>>>
>>>>> The above still only created .sha1 and .md5 files in my staging
>>>>> repository. What am I doing wrong?
>>>>
>>>> You need to update the bundled Maven Resolver version and it will work.
>>>> Mark Thomas is already using it with Maven Resolver Ant Tasks to push
>>>> Tomcat releases.
>>>
>>> Thanks Michael. That works like a charm.
>>
>> Alas, I spoke too soon. It works on the command line, but I can't make
>> it an permanent part of my parent POM:
>>
>>     <properties>
>>
>> <aether.checksums.algorithms>SHA-512,SHA-256,SHA-1,MD5</aether.checksums.algorithms>
>>     </properties>
>
> This will not work. I do recommend to use
> https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#arguments
>
> Please try and tell...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]