Bug 62695 - Provide sha512 checksums for Tomcat releases published to Maven
Summary: Provide sha512 checksums for Tomcat releases published to Maven
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Packaging (show other bugs)
Version: 9.0.x
Hardware: PC All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-09-07 14:04 UTC by Konstantin Kolinko
Modified: 2020-11-26 11:37 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2018-09-07 14:04:38 UTC
Reviewing release candidates for Tomcat 8.5.34, 9.0.12, their artifacts at Maven staging repository have only md5 and sha1 checksums.

This can bee seen here:
[1] https://repository.apache.org/content/repositories/orgapachetomcat-1193/org/apache/tomcat/tomcat/9.0.12/
[2] https://repository.apache.org/content/repositories/orgapachetomcat-1194/org/apache/tomcat/tomcat/8.5.34/

The new distribution requirements at ASF has been discussed elsewhere and I know that for Apache Parent POM the feature to implement more secure checksums is tracked as
[3] https://issues.apache.org/jira/browse/MPOM-205

The project fro Apache Parent POM is
[4] https://maven.apache.org/pom/asf/

At [4] scroll down for "History" and see the "diff" link for changes between versions 21 and 20. A step was added to manually generate *.sha512 files at build time.
Comment 1 Michael Osipov 2018-09-07 18:45:13 UTC
Uploads to RSO are excepted because there is a rule in Nexus staging which checks for files. We need a modification in Nexus and Maven Central to allow SHA256 and SHA512 files. We have already discussed this with Henk Penning.

The dist area must contain SHA256/512.
Comment 2 Mark Thomas 2019-01-24 13:29:34 UTC
This is the INFRA ticket where the Nexus changes are being tracked:

I'm marking this issue as NEEDINFO to indicate that progress is paused waiting on an update to that ticket. I've also added myself as a watcher to that ticket so i can follow any progress.
Comment 3 Mark Thomas 2020-05-29 19:35:03 UTC
The ASF Nexus instance has now been upgraded to allow this.

The Tomcat builds have been switched from the unsupported Maven Ant Tasks to the supported Maven Resolver Ant Tasks.

Work is in hand to update the Maven Resolver Ant Tasks to create SHA-256 and SHA-512 hashes.

We aren't there yet but progress is being made.
Comment 4 Mark Thomas 2020-11-26 09:39:34 UTC
Maven Resolver Ant Tasks 1.3.0 includes the necessary functionality.

Fixed in:
- 10.0.x for 10.0.0-M11 onwards
- 9.0.x for 9.0.41 onwards
- 8.5.x for 8.5.61 onwards
- 7.0.x for 7.0.108 onwards