diff --git a/nmcp-tasks/src/main/kotlin/nmcp/transport/publishFileByFile.kt b/nmcp-tasks/src/main/kotlin/nmcp/transport/publishFileByFile.kt index d66aa93..7fb1b6f 100644 --- a/nmcp-tasks/src/main/kotlin/nmcp/transport/publishFileByFile.kt +++ b/nmcp-tasks/src/main/kotlin/nmcp/transport/publishFileByFile.kt @@ -155,6 +155,9 @@ private fun publishGav( val bytes = encodeToXml(versionMetadata).toByteArray() transport.put(versionMetadataPath, bytes) + setOf("md5", "sha1", "sha512").forEach { + transport.put("$versionMetadataPath.$it", bytes.digest(it.uppercase())) + } } else { /** * Not a snapshot, plainly update all the files diff --git a/nmcp/src/main/kotlin/nmcp/internal/utils.kt b/nmcp/src/main/kotlin/nmcp/internal/utils.kt index 9052228..6b4ac41 100644 --- a/nmcp/src/main/kotlin/nmcp/internal/utils.kt +++ b/nmcp/src/main/kotlin/nmcp/internal/utils.kt @@ -93,12 +93,27 @@ internal fun Project.registerPublishToCentralPortalTasks( // See https://slack-chats.kotlinlang.org/t/16407246/anyone-tried-the-https-central-sonatype-org-publish-publish-#c8738fe5-8051-4f64-809f-ca67a645216e it.exclude() } - !publishAllChecksums && (it.name.endsWith(".sha256") || it.name.endsWith(".sha512")) -> { - // It's not clear if those are used, and it reduces the number of files in the deployment + !publishAllChecksums && (it.name.endsWith(".sha256")) -> { + /** + * Stripping `.sha256` checksums leaves out: + * - md5 and sha1 checksums: + * - required by Maven Central checks + * - used by Maven for "transport" verification + * - sha512: + * - secure way for Gradle to to "security verification" + * + * see also https://maven.apache.org/resolver/about-checksums.html: + * + * ``` + * Hence, the usual argument that "XXX algorithm is unsafe, deprecated, not secure anymore" does not stand in use case of Maven Resolver: there is nothing secure being involved with checksums. Moreover, this is true not only for SHA-1 algorithm, but even for its "elder brother" MD5. Both algorithms are still widely used today as "transport integrity validation" or "error detection" (aka "bit-rot detection"). + * ``` + */ it.exclude() } - !publishAllChecksums && (it.name.endsWith(".asc.md5") || it.name.endsWith(".asc.sha1")) -> { - // It's not clear if those are used, and it reduces the number of files in the deployment + !publishAllChecksums && (it.name.endsWith(".asc.md5") || it.name.endsWith(".asc.sha1") || it.name.endsWith(".asc.sha256") || it.name.endsWith(".asc.sha512")) -> { + /** + * For signatures, we don't need checksums + */ it.exclude() } } diff --git a/tests/kmp/build.gradle.kts b/tests/kmp/build.gradle.kts index c66a111..150f9ca 100644 --- a/tests/kmp/build.gradle.kts +++ b/tests/kmp/build.gradle.kts @@ -80,119 +80,153 @@ tasks.register("checkZip") { "sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar.md5", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar.sha1", + "sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar.sha512", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib.md5", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib.sha1", + "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib.sha512", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module.md5", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module.sha1", + "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module.sha512", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom.md5", "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom.sha1", + "sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom.sha512", "sample/kmp/module1-jvm/", "sample/kmp/module1-jvm/0.0.1/", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar.md5", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar.sha1", + "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar.sha512", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar.md5", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar.sha1", + "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar.sha512", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module.md5", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module.sha1", + "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module.sha512", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom.md5", "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom.sha1", + "sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom.sha512", "sample/kmp/module1-linuxarm64/", "sample/kmp/module1-linuxarm64/0.0.1/", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar.md5", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar.sha1", + "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar.sha512", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib.md5", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib.sha1", + "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib.sha512", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module.md5", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module.sha1", + "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module.sha512", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom.md5", "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom.sha1", + "sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom.sha512", "sample/kmp/module1/", "sample/kmp/module1/0.0.1/", "sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json", "sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json.md5", "sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json.sha1", + "sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json.sha512", "sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar", "sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar.md5", "sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar.sha1", + "sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar.sha512", "sample/kmp/module1/0.0.1/module1-0.0.1.jar", "sample/kmp/module1/0.0.1/module1-0.0.1.jar.md5", "sample/kmp/module1/0.0.1/module1-0.0.1.jar.sha1", + "sample/kmp/module1/0.0.1/module1-0.0.1.jar.sha512", "sample/kmp/module1/0.0.1/module1-0.0.1.module", "sample/kmp/module1/0.0.1/module1-0.0.1.module.md5", "sample/kmp/module1/0.0.1/module1-0.0.1.module.sha1", + "sample/kmp/module1/0.0.1/module1-0.0.1.module.sha512", "sample/kmp/module1/0.0.1/module1-0.0.1.pom", "sample/kmp/module1/0.0.1/module1-0.0.1.pom.md5", "sample/kmp/module1/0.0.1/module1-0.0.1.pom.sha1", + "sample/kmp/module1/0.0.1/module1-0.0.1.pom.sha512", "sample/kmp/module2-js/", "sample/kmp/module2-js/0.0.1/", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar.md5", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar.sha1", + "sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar.sha512", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib.md5", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib.sha1", + "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib.sha512", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module.md5", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module.sha1", + "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module.sha512", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom.md5", "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom.sha1", + "sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom.sha512", "sample/kmp/module2-jvm/", "sample/kmp/module2-jvm/0.0.1/", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar.md5", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar.sha1", + "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar.sha512", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar.md5", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar.sha1", + "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar.sha512", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module.md5", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module.sha1", + "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module.sha512", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom.md5", "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom.sha1", + "sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom.sha512", "sample/kmp/module2-linuxarm64/", "sample/kmp/module2-linuxarm64/0.0.1/", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar.md5", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar.sha1", + "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar.sha512", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib.md5", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib.sha1", + "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib.sha512", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module.md5", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module.sha1", + "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module.sha512", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom.md5", "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom.sha1", + "sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom.sha512", "sample/kmp/module2/", "sample/kmp/module2/0.0.1/", "sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json", "sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json.md5", "sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json.sha1", + "sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json.sha512", "sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar", "sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar.md5", "sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar.sha1", + "sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar.sha512", "sample/kmp/module2/0.0.1/module2-0.0.1.jar", "sample/kmp/module2/0.0.1/module2-0.0.1.jar.md5", "sample/kmp/module2/0.0.1/module2-0.0.1.jar.sha1", + "sample/kmp/module2/0.0.1/module2-0.0.1.jar.sha512", "sample/kmp/module2/0.0.1/module2-0.0.1.module", "sample/kmp/module2/0.0.1/module2-0.0.1.module.md5", "sample/kmp/module2/0.0.1/module2-0.0.1.module.sha1", + "sample/kmp/module2/0.0.1/module2-0.0.1.module.sha512", "sample/kmp/module2/0.0.1/module2-0.0.1.pom", "sample/kmp/module2/0.0.1/module2-0.0.1.pom.md5", "sample/kmp/module2/0.0.1/module2-0.0.1.pom.sha1", + "sample/kmp/module2/0.0.1/module2-0.0.1.pom.sha512", ) ) )