Install plugins command fails for maven central signatures (SHA512 checksums without a file part) #52413
Labels
:Core/Infra/Plugins
Plugin API and infrastructure
Comments
|
Just to be clear: these filename-component-less sha512 checksums are produced by Gradle and seem to be valid in the context of maven central - I see other artifacts with the same pattern (just the checksum). I think the requirement for two components should be relaxed, here: otherwise it'll be hard to get maven central artifacts to work out of the box. |
|
Pinging @elastic/es-core-infra (:Core/Infra/Plugins) |
dweiss
added a commit
to carrot2/elasticsearch-carrot2
that referenced
this issue
Feb 18, 2020
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this issue
Feb 21, 2020
When installing plugins from remote sources, either the Elastic download service, or maven, a checksum file is downloaded and checked against the downloaded zip. The current format for official plugins is to use a sha512 checksum which includes the zip filename. This format matches that from sha512sum, and allows using the --check argument there to verify the checksum manually. However, when generating checksum files with maven and gradle, the filename is not included. This commit relaxes the requirement the filename existing within the sha512 checksum file for maven plugins. We continue to strictly enforce official plugins have the existing format of the file. closes elastic#52413
rjernst
added a commit
that referenced
this issue
Feb 24, 2020
When installing plugins from remote sources, either the Elastic download service, or maven, a checksum file is downloaded and checked against the downloaded zip. The current format for official plugins is to use a sha512 checksum which includes the zip filename. This format matches that from sha512sum, and allows using the --check argument there to verify the checksum manually. However, when generating checksum files with maven and gradle, the filename is not included. This commit relaxes the requirement the filename existing within the sha512 checksum file for maven plugins. We continue to strictly enforce official plugins have the existing format of the file. closes #52413
rjernst
added a commit
that referenced
this issue
Feb 24, 2020
When installing plugins from remote sources, either the Elastic download service, or maven, a checksum file is downloaded and checked against the downloaded zip. The current format for official plugins is to use a sha512 checksum which includes the zip filename. This format matches that from sha512sum, and allows using the --check argument there to verify the checksum manually. However, when generating checksum files with maven and gradle, the filename is not included. This commit relaxes the requirement the filename existing within the sha512 checksum file for maven plugins. We continue to strictly enforce official plugins have the existing format of the file. closes #52413
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Maven central artifact signatures don't carry file name in checksums. ES fails when trying to install a published plugin with such signatures (InstallPluginCommand.java).
Example of a valid plugin that currently doesn't work (checksum itself is fine):
https://repo1.maven.org/maven2/org/carrot2/elasticsearch-carrot2/7.6.0/elasticsearch-carrot2-7.6.0.zip
I don't think workarounds exist (other than republishing with just md5/ sha1). @rjernst What do you think?
The text was updated successfully, but these errors were encountered: