Reviewing release candidates for Tomcat 8.5.34, 9.0.12, their artifacts at Maven staging repository have only md5 and sha1 checksums. This can bee seen here: [1] https://repository.apache.org/content/repositories/orgapachetomcat-1193/org/apache/tomcat/tomcat/9.0.12/ [2] https://repository.apache.org/content/repositories/orgapachetomcat-1194/org/apache/tomcat/tomcat/8.5.34/ The new distribution requirements at ASF has been discussed elsewhere and I know that for Apache Parent POM the feature to implement more secure checksums is tracked as [3] https://issues.apache.org/jira/browse/MPOM-205 The project fro Apache Parent POM is [4] https://maven.apache.org/pom/asf/ At [4] scroll down for "History" and see the "diff" link for changes between versions 21 and 20. A step was added to manually generate *.sha512 files at build time.
Uploads to RSO are excepted because there is a rule in Nexus staging which checks for files. We need a modification in Nexus and Maven Central to allow SHA256 and SHA512 files. We have already discussed this with Henk Penning. The dist area must contain SHA256/512.
This is the INFRA ticket where the Nexus changes are being tracked: https://issues.apache.org/jira/browse/INFRA-14923 I'm marking this issue as NEEDINFO to indicate that progress is paused waiting on an update to that ticket. I've also added myself as a watcher to that ticket so i can follow any progress.
The ASF Nexus instance has now been upgraded to allow this. The Tomcat builds have been switched from the unsupported Maven Ant Tasks to the supported Maven Resolver Ant Tasks. Work is in hand to update the Maven Resolver Ant Tasks to create SHA-256 and SHA-512 hashes. We aren't there yet but progress is being made.
Maven Resolver Ant Tasks 1.3.0 includes the necessary functionality. Fixed in: - 10.0.x for 10.0.0-M11 onwards - 9.0.x for 9.0.41 onwards - 8.5.x for 8.5.61 onwards - 7.0.x for 7.0.108 onwards
Please note: https://github.com/apache/tomcat/commit/997ea27b77fe08db2bc19bdb8b15ddbde9662675#r44558572