Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ private fun publishGav(

val bytes = encodeToXml(versionMetadata).toByteArray()
transport.put(versionMetadataPath, bytes)
setOf("md5", "sha1", "sha512").forEach {
transport.put("$versionMetadataPath.$it", bytes.digest(it.uppercase()))
}
} else {
/**
* Not a snapshot, plainly update all the files
Expand Down
23 changes: 19 additions & 4 deletions nmcp/src/main/kotlin/nmcp/internal/utils.kt
Original file line number Diff line number Diff line change
Expand Up @@ -93,12 +93,27 @@ internal fun Project.registerPublishToCentralPortalTasks(
// See https://slack-chats.kotlinlang.org/t/16407246/anyone-tried-the-https-central-sonatype-org-publish-publish-#c8738fe5-8051-4f64-809f-ca67a645216e
it.exclude()
}
!publishAllChecksums && (it.name.endsWith(".sha256") || it.name.endsWith(".sha512")) -> {
// It's not clear if those are used, and it reduces the number of files in the deployment
!publishAllChecksums && (it.name.endsWith(".sha256")) -> {
/**
* Stripping `.sha256` checksums leaves out:
* - md5 and sha1 checksums:
* - required by Maven Central checks
* - used by Maven for "transport" verification
* - sha512:
* - secure way for Gradle to to "security verification"
*
* see also https://maven.apache.org/resolver/about-checksums.html:
*
* ```
* Hence, the usual argument that "XXX algorithm is unsafe, deprecated, not secure anymore" does not stand in use case of Maven Resolver: there is nothing secure being involved with checksums. Moreover, this is true not only for SHA-1 algorithm, but even for its "elder brother" MD5. Both algorithms are still widely used today as "transport integrity validation" or "error detection" (aka "bit-rot detection").
* ```
*/
it.exclude()
}
!publishAllChecksums && (it.name.endsWith(".asc.md5") || it.name.endsWith(".asc.sha1")) -> {
// It's not clear if those are used, and it reduces the number of files in the deployment
!publishAllChecksums && (it.name.endsWith(".asc.md5") || it.name.endsWith(".asc.sha1") || it.name.endsWith(".asc.sha256") || it.name.endsWith(".asc.sha512")) -> {
/**
* For signatures, we don't need checksums
*/
it.exclude()
}
}
Expand Down
34 changes: 34 additions & 0 deletions tests/kmp/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -80,119 +80,153 @@ tasks.register("checkZip") {
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar.md5",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar.sha1",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1-sources.jar.sha512",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib.md5",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib.sha1",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.klib.sha512",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module.md5",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module.sha1",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.module.sha512",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom.md5",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom.sha1",
"sample/kmp/module1-js/0.0.1/module1-js-0.0.1.pom.sha512",
"sample/kmp/module1-jvm/",
"sample/kmp/module1-jvm/0.0.1/",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar.md5",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar.sha1",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1-sources.jar.sha512",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar.md5",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar.sha1",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.jar.sha512",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module.md5",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module.sha1",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.module.sha512",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom.md5",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom.sha1",
"sample/kmp/module1-jvm/0.0.1/module1-jvm-0.0.1.pom.sha512",
"sample/kmp/module1-linuxarm64/",
"sample/kmp/module1-linuxarm64/0.0.1/",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar.md5",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar.sha1",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1-sources.jar.sha512",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib.md5",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib.sha1",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.klib.sha512",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module.md5",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module.sha1",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.module.sha512",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom.md5",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom.sha1",
"sample/kmp/module1-linuxarm64/0.0.1/module1-linuxarm64-0.0.1.pom.sha512",
"sample/kmp/module1/",
"sample/kmp/module1/0.0.1/",
"sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json",
"sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json.md5",
"sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json.sha1",
"sample/kmp/module1/0.0.1/module1-0.0.1-kotlin-tooling-metadata.json.sha512",
"sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar",
"sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar.md5",
"sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar.sha1",
"sample/kmp/module1/0.0.1/module1-0.0.1-sources.jar.sha512",
"sample/kmp/module1/0.0.1/module1-0.0.1.jar",
"sample/kmp/module1/0.0.1/module1-0.0.1.jar.md5",
"sample/kmp/module1/0.0.1/module1-0.0.1.jar.sha1",
"sample/kmp/module1/0.0.1/module1-0.0.1.jar.sha512",
"sample/kmp/module1/0.0.1/module1-0.0.1.module",
"sample/kmp/module1/0.0.1/module1-0.0.1.module.md5",
"sample/kmp/module1/0.0.1/module1-0.0.1.module.sha1",
"sample/kmp/module1/0.0.1/module1-0.0.1.module.sha512",
"sample/kmp/module1/0.0.1/module1-0.0.1.pom",
"sample/kmp/module1/0.0.1/module1-0.0.1.pom.md5",
"sample/kmp/module1/0.0.1/module1-0.0.1.pom.sha1",
"sample/kmp/module1/0.0.1/module1-0.0.1.pom.sha512",
"sample/kmp/module2-js/",
"sample/kmp/module2-js/0.0.1/",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar.md5",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar.sha1",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1-sources.jar.sha512",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib.md5",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib.sha1",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.klib.sha512",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module.md5",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module.sha1",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.module.sha512",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom.md5",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom.sha1",
"sample/kmp/module2-js/0.0.1/module2-js-0.0.1.pom.sha512",
"sample/kmp/module2-jvm/",
"sample/kmp/module2-jvm/0.0.1/",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar.md5",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar.sha1",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1-sources.jar.sha512",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar.md5",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar.sha1",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.jar.sha512",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module.md5",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module.sha1",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.module.sha512",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom.md5",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom.sha1",
"sample/kmp/module2-jvm/0.0.1/module2-jvm-0.0.1.pom.sha512",
"sample/kmp/module2-linuxarm64/",
"sample/kmp/module2-linuxarm64/0.0.1/",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar.md5",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar.sha1",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1-sources.jar.sha512",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib.md5",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib.sha1",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.klib.sha512",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module.md5",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module.sha1",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.module.sha512",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom.md5",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom.sha1",
"sample/kmp/module2-linuxarm64/0.0.1/module2-linuxarm64-0.0.1.pom.sha512",
"sample/kmp/module2/",
"sample/kmp/module2/0.0.1/",
"sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json",
"sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json.md5",
"sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json.sha1",
"sample/kmp/module2/0.0.1/module2-0.0.1-kotlin-tooling-metadata.json.sha512",
"sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar",
"sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar.md5",
"sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar.sha1",
"sample/kmp/module2/0.0.1/module2-0.0.1-sources.jar.sha512",
"sample/kmp/module2/0.0.1/module2-0.0.1.jar",
"sample/kmp/module2/0.0.1/module2-0.0.1.jar.md5",
"sample/kmp/module2/0.0.1/module2-0.0.1.jar.sha1",
"sample/kmp/module2/0.0.1/module2-0.0.1.jar.sha512",
"sample/kmp/module2/0.0.1/module2-0.0.1.module",
"sample/kmp/module2/0.0.1/module2-0.0.1.module.md5",
"sample/kmp/module2/0.0.1/module2-0.0.1.module.sha1",
"sample/kmp/module2/0.0.1/module2-0.0.1.module.sha512",
"sample/kmp/module2/0.0.1/module2-0.0.1.pom",
"sample/kmp/module2/0.0.1/module2-0.0.1.pom.md5",
"sample/kmp/module2/0.0.1/module2-0.0.1.pom.sha1",
"sample/kmp/module2/0.0.1/module2-0.0.1.pom.sha512",
)
)
)
Expand Down
Loading