Uploaded image for project: 'Community Support - Maven Central'
  1. Community Support - Maven Central
  2. MVNCENTRAL-5276

Validation should support SHA256 and SHA512 checksums

    XMLWordPrintable

    Details

      Description

      This is related to MVNCENTRAL-2859 but not the same.

      In Gradle 6 we planned to support uploading .sha256 and .sha512 files in addition to the insecure .md5 and .sha1 checksums.

      As tested by Marc Philipp from the JUnit team, this works properly on the OSS snapshot repository, but Maven Central refuses them in the validation phase: it considers the `.sha256` and `.sha512` files as regular artifacts instead of checksums, so complains that they miss... checksums and signatures!

       

      It would be great to whitelist those files during validation in order to unblock us, this is important for security, as detailed in the aforementioned ticket.

       

      See https://github.com/gradle/gradle/pull/11053 for details.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jorlina Joel Orlina
              Reporter:
              melix Cédric Champeau
              Last Updated By:
              Martin Todorov
              Votes:
              22 Vote for this issue
              Watchers:
              33 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title