Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

maven-metadata.xml SHA256 and SHA512 checksums prevent publishing to Nexus #11308

Closed
120011676 opened this issue Nov 11, 2019 · 19 comments
Closed

maven-metadata.xml SHA256 and SHA512 checksums prevent publishing to Nexus #11308

120011676 opened this issue Nov 11, 2019 · 19 comments

Comments

@120011676
Copy link

@120011676 120011676 commented Nov 11, 2019

Expected Behavior

publish Maven Repository success

Current Behavior

Screen Shot 2019-11-11 at 18 51 30

···

failureMessage Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/120011676/vine/maven-metadata.xml.sha512'
failureMessage Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/com/github/120011676/vine/maven-metadata.xml.sha256'
···

Context

publish Maven Repository

Steps to Reproduce

https://github.com/120011676/vine

Your Environment

Build scan URL:https://github.com/120011676/vine

@melix
Copy link
Contributor

@melix melix commented Nov 11, 2019

Does Gradle fail the upload task or is it emitted as a warning? Normally if the repository doesn't support sha512 we continue.

@120011676
Copy link
Author

@120011676 120011676 commented Nov 12, 2019

@melix Maven central warehouse used,5.6.3 did not appear, how can I succeed?

@melix
Copy link
Contributor

@melix melix commented Nov 12, 2019

Is it just me or you are using a GitHub package registry here? There's a known issue with GitHub. We're working with them so that they fix it.

@melix
Copy link
Contributor

@melix melix commented Nov 12, 2019

I'm going to ping Sonatype and link to this issue, there may be something wrong with the validation of maven-metadata.xml.

For reference, see comments in https://issues.sonatype.org/browse/MVNCENTRAL-5276

@melix melix self-assigned this Nov 12, 2019
@ljacomet ljacomet added this to the 6.0.1 milestone Nov 12, 2019
@120011676
Copy link
Author

@120011676 120011676 commented Nov 13, 2019

@melix Fabulous,Yes, I have a comment

@vlsi
Copy link
Contributor

@vlsi vlsi commented Nov 13, 2019

Does that mean Gradle 6.0.1 could have a feature-flag to avoid publishing sha256 / sha512 for artifacts and metadata?

@melix
Copy link
Contributor

@melix melix commented Nov 13, 2019

Sonatype is planning a fix. If it's too late to ship, we'll have to consider a flag, but we'd like to avoid this situation.

@vlsi
Copy link
Contributor

@vlsi vlsi commented Nov 13, 2019

but we'd like to avoid this situation.

Exactly

If it's too late to ship, we'll have to consider a flag

A bit of a story is "Nexus vs Gradle 6" issue did hit us when trying to release Apache JMeter yesterday.

Apache Software Foundation is still using Nexus 2.x, and it would take time to make ASF sha512-compatible. It would require either Nexus 2->3 upgrade, or back-porting of the fix or migrate to Artifactory or whatever.

I beg your pardon, but I'm inclined to request a feature flag (even though I recognize the year is 2019) as the upgrade of ASF infra might take a while (there was an attempt in 2016-2017, and it was just closed). In the meantime, I've asked re ASF Nexus upgrade

@melix
Copy link
Contributor

@melix melix commented Nov 13, 2019

Ok so let's prioritize a magic flag for 6.0.1.

@120011676
Copy link
Author

@120011676 120011676 commented Nov 13, 2019

Like, encourage upgrading

melix added a commit that referenced this issue Nov 13, 2019
This commit adds an internal system property which can be used as
a workaround whenever the remote repository doesn't accept SHA-256
and SHA-512 checksums. Gradle is fail-safe when it cannot upload
those files, however, in some situations, the remote repository may
not allow promoting the release if it finds such files. This is the
case in older repositories, or currently with Maven Central.

To disable publication of both SHA-256 and SHA-512 checksums, either:

- add `-Dorg.gradle.internal.publish.checksums.insecure` to the CLI or
- add `org.gradle.internal.publish.checksums.insecure=true` to your
`gradle.properties` file

Fixes #11308
melix added a commit that referenced this issue Nov 13, 2019
This commit adds an internal system property which can be used as
a workaround whenever the remote repository doesn't accept SHA-256
and SHA-512 checksums. Gradle is fail-safe when it cannot upload
those files, however, in some situations, the remote repository may
not allow promoting the release if it finds such files. This is the
case in older repositories, or currently with Maven Central.

To disable publication of both SHA-256 and SHA-512 checksums, either:

- add `-Dorg.gradle.internal.publish.checksums.insecure` to the CLI or
- add `org.gradle.internal.publish.checksums.insecure=true` to your
`gradle.properties` file

Fixes #11308
@melix
Copy link
Contributor

@melix melix commented Nov 14, 2019

Before I merge the workaround, I'd like to double check that the Gradle build indeed did not fail, and that's only in Nexus that you're seeing the problem.

@120011676
Copy link
Author

@120011676 120011676 commented Nov 14, 2019

@melix One other bug found,I don't know
#11371

@jjohannes
Copy link
Contributor

@jjohannes jjohannes commented Nov 15, 2019

@120011676 we have included a flag for a 6.0.1 patch release. Here is a nightly containing the change:
https://services.gradle.org/distributions-snapshots/gradle-6.0.1-20191115004001+0000-bin.zip
It would be very much appreciated if you can acknowledge that it works for you.

To disable publication of both SHA-256 and SHA-512 checksums, either:

  • add -Dorg.gradle.internal.publish.checksums.insecure to the CLI or
  • add org.gradle.internal.publish.checksums.insecure=true to your
    gradle.properties file

@vlsi
Copy link
Contributor

@vlsi vlsi commented Nov 15, 2019

@jjohannes , are you sure that snapshot includes the fix?

I've tried gradle-6.0.1-20191115004001+0000-all.zip , and it still publishes sha256 and sha512 files.
Then I opened /.gradle/wrapper/dists/gradle-6.0.1-20191115004001+0000-all/8vxyfuyndjkwgc528crr43wp/gradle-6.0.1-20191115004001+0000, and I don't see the fix there:

$ grep publishChecksums -A 8 ExternalResourceResolver.java
        publishChecksums(destination, src);
    }

    private void publishChecksums(ExternalResourceName destination, File content) {
        publishChecksum(destination, content, "sha1", 40);

        publishPossiblyUnsupportedChecksum(destination, content, "sha-256", 64);
        publishPossiblyUnsupportedChecksum(destination, content, "sha-512", 128);
    }

    private void publishPossiblyUnsupportedChecksum(ExternalResourceName destination, File content, String algorithm, int length) {
        try {

Is it what you would expect?

Just in case, I've tried to specify all the possible options at the same time (-D, -P, and the option in gradle.properties), and Gradle still publishes sha256 and sha512.

If that matters, I tested both -all and -bin snapshots, and they both publish sha256/512 :-/

@ljacomet
Copy link
Member

@ljacomet ljacomet commented Nov 15, 2019

Sorry, two things at play here:

  • First a copy/paste mistake in the nightly version. Please use 6.0.1-20191115103811+0000 as the version, or https\://services.gradle.org/distributions-snapshots/gradle-6.0.1-20191115103811+0000-bin.zip for the gradle-wrapper.properties
  • The instructions need to be corrected:
    • Adding -Dorg.gradle.internal.publish.checksums.insecure=true on the CLI
    • Adding systemProp.org.gradle.internal.publish.checksums.insecure=true to gradle.properties

ljacomet added a commit that referenced this issue Nov 15, 2019
Also document them in the publishing chapter.

Issue #11308
@vlsi
Copy link
Contributor

@vlsi vlsi commented Nov 15, 2019

Thanks for the clarification.

I've tried 6.0.1-20191115103811+0000, and I confirm systemProp.org.gradle.internal.publish.checksums.insecure=true works: it does not produce sha256/512 for artifacts / maven-metadata.xml / module files.

PS I verify with a Nexus stub ( https://github.com/vlsi/asflike-release-environment ), so the mileage may vary.

ljacomet added a commit that referenced this issue Nov 15, 2019
Also document their creation in the publishing chapter.

Issue #11308
@big-guy big-guy changed the title gradle 6.0 publish Maven Repository error maven-metadata.xml SHA256 and SHA512 checksums prevent publishing to Nexus Nov 15, 2019
DanySK added a commit to DanySK/java-quadtree that referenced this issue Apr 9, 2020
DanySK added a commit to Protelis/Protelis that referenced this issue Apr 10, 2020
io7m added a commit to NYPL-Simplified/Simplified-Android-Core that referenced this issue Apr 14, 2020
This adds a flag that enables a workaround for OSSRH publishing.

Affects: https://issues.sonatype.org/browse/OSSRH-56352
Affects: gradle/gradle#11308 (comment)
io7m added a commit to NYPL-Simplified/Simplified-Android-Core that referenced this issue Apr 16, 2020
This adds a check to the start of the build script
to verify that the build is being performed with the
org.gradle.internal.publish.checksums.insecure property set. This
ensures that the project can be deployed to Central without checksum
issues.

References: gradle/gradle#11308 (comment)
mizosoft added a commit to mizosoft/methanol that referenced this issue Apr 17, 2020
andrey-fomin added a commit to fomin/oas-gen that referenced this issue Apr 22, 2020
mrapplexz added a commit to pearxteam/cursekt that referenced this issue Apr 24, 2020
ZacSweers added a commit to slackhq/keeper that referenced this issue May 9, 2020
this is what broke our releases in 6.4 and this works around it for now

See gradle/gradle#11308
ZacSweers added a commit to slackhq/keeper that referenced this issue May 11, 2020
* Suppress sha256 for metadata

this is what broke our releases in 6.4 and this works around it for now

See gradle/gradle#11308

* Bump AGP version on CI to 3.6.3

* Kotlin 1.3.72

* Zipflinger 3.6.3

* Update more misc deps

* More AGP

* Shade in newer zipfligner version

Resolves #38

* Update sample okio libraries

* Clarify comment and exlude guava too
zach-klippenstein added a commit to square/workflow-kotlin-compose that referenced this issue May 12, 2020
chrisbanes pushed a commit to google/accompanist that referenced this issue May 15, 2020
mrapplexz added a commit to pearxteam/kasechange that referenced this issue May 17, 2020
dtreskunov pushed a commit to dtreskunov/easyssl that referenced this issue May 19, 2020
Errors visible in https://oss.sonatype.org/#stagingRepositories under
Activity > release:

Artifact updating: Repository ='releases:Releases' does not allow updating
artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha512'

Artifact updating: Repository ='releases:Releases' does not allow updating
artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha256'

gradle/gradle#11308
dtreskunov pushed a commit to dtreskunov/easyssl that referenced this issue May 19, 2020
Errors visible in https://oss.sonatype.org/#stagingRepositories under
Activity > release:

Artifact updating: Repository ='releases:Releases' does not allow updating
artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha512'

Artifact updating: Repository ='releases:Releases' does not allow updating
artifact='/com/github/dtreskunov/easyssl/maven-metadata.xml.sha256'

gradle/gradle#11308
chris-allan added a commit to glencoesoftware/bioformats2raw that referenced this issue May 20, 2020
Gradle publishes sha256/512 checksum which are incompatible with the
current version of Nexus we are using.  See also:

 * gradle/gradle#11308
 * https://issues.sonatype.org/browse/NEXUS-21802
 * https://issues.sonatype.org/browse/NEXUS-23603
@phreakadelle
Copy link

@phreakadelle phreakadelle commented Oct 5, 2020

Thanks for providing the switch.

We were forced to use the -Dorg.gradle.internal.publish.checksums.insecure=true parameter as we are using Gradle 6.5.1 and Nexus 2.14.15-01

@gavenkoa
Copy link

@gavenkoa gavenkoa commented Nov 17, 2020

I hit the problem with Nexus OSS 3.28.1 and systemProp.org.gradle.internal.publish.checksums.insecure=true in gradle.properties is a solution.

According to https://issues.sonatype.org/browse/NEXUS-21802 fix is in v2.14.18 but not in v3.x:

MSDE Team yes, the support was added to NXRM2 but hasn't yet been done in NXRM3, NEXUS-23603 is the ticket in question, please do add a vote on there

3.x still has the issue, see: https://issues.sonatype.org/browse/NEXUS-23603

@alexeyOnGitHub
Copy link

@alexeyOnGitHub alexeyOnGitHub commented Apr 23, 2021

does this "-Dorg.gradle.internal.publish.checksums.insecure=true" flag turn off all sha publishing or just for 256 and 512?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

9 participants