SHA-512 for Maven deployment

> Igniters,
>
> I've been preparing the 3.0.0-alpha1 release and got confused about the
> requirements for checksums in Maven deployments. The Apache instruction [1]
> states that MD5 is deprecated and SHA1 should be avoided in favor of
> SHA-256 or SHA-512. However, it looks like we are still using the MD5/SHA1
> combination (at least that's what the staging for 2.9.1 [2] contains).
>
> On top of that, I can't find an easy way to switch to another checksum -
> Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> doesn't seem to have any options to tweak this behavior.
>
> That said, I have two questions:
>
>    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
>    2. Is there a painless way to include SHA512 in addition to MD5/SHA1?
>
> Can anyone shed some light on this?
>
> [1] https://infra.apache.org/release-signing.html#basic-facts
> [2]
>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> [3] https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>
> -Val
>

> Hi,
>
> I've never done this before, but it seems like we need maven-gpg-plugin for
> it [1].
>
> Algorithm configuration would look like this:
> <gpgArguments>
>     <arg>--digest-algo=SHA512</arg>
> </gpgArguments>
>
> Maybe this will help.
>
> [1]
>
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>
> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> [hidden email]>:
>
> > Igniters,
> >
> > I've been preparing the 3.0.0-alpha1 release and got confused about the
> > requirements for checksums in Maven deployments. The Apache instruction
> [1]
> > states that MD5 is deprecated and SHA1 should be avoided in favor of
> > SHA-256 or SHA-512. However, it looks like we are still using the
> MD5/SHA1
> > combination (at least that's what the staging for 2.9.1 [2] contains).
> >
> > On top of that, I can't find an easy way to switch to another checksum -
> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> > doesn't seem to have any options to tweak this behavior.
> >
> > That said, I have two questions:
> >
> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> >    2. Is there a painless way to include SHA512 in addition to MD5/SHA1?
> >
> > Can anyone shed some light on this?
> >
> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > [2]
> >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > [3]
> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> >
> > -Val
> >
>
>
> --
> Sincerely yours,
> Ivan Bessonov
>

> Hi Ivan,
>
> Thanks for your response. I've looked into the PGP plugin, and
> unfortunately it looks like it only can create signatures, but not
> checksums.
>
> -Val
>
> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <[hidden email]>
> wrote:
>
>> Hi,
>>
>> I've never done this before, but it seems like we need maven-gpg-plugin
>> for
>> it [1].
>>
>> Algorithm configuration would look like this:
>> <gpgArguments>
>>     <arg>--digest-algo=SHA512</arg>
>> </gpgArguments>
>>
>> Maybe this will help.
>>
>> [1]
>>
>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>>
>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
>> [hidden email]>:
>>
>> > Igniters,
>> >
>> > I've been preparing the 3.0.0-alpha1 release and got confused about the
>> > requirements for checksums in Maven deployments. The Apache instruction
>> [1]
>> > states that MD5 is deprecated and SHA1 should be avoided in favor of
>> > SHA-256 or SHA-512. However, it looks like we are still using the
>> MD5/SHA1
>> > combination (at least that's what the staging for 2.9.1 [2] contains).
>> >
>> > On top of that, I can't find an easy way to switch to another checksum
>> > -
>> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
>> > doesn't seem to have any options to tweak this behavior.
>> >
>> > That said, I have two questions:
>> >
>> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
>> >    2. Is there a painless way to include SHA512 in addition to
>> > MD5/SHA1?
>> >
>> > Can anyone shed some light on this?
>> >
>> > [1] https://infra.apache.org/release-signing.html#basic-facts
>> > [2]
>> >
>> >
>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
>> > [3]
>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>> >
>> > -Val
>> >
>>
>>
>> --
>> Sincerely yours,
>> Ivan Bessonov
>>
>

> Folks,
>
> Were you able to resolve this?
>
> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> [hidden email]>:
> > Hi Ivan,
> >
> > Thanks for your response. I've looked into the PGP plugin, and
> > unfortunately it looks like it only can create signatures, but not
> > checksums.
> >
> > -Val
> >
> > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <[hidden email]>
> > wrote:
> >
> >> Hi,
> >>
> >> I've never done this before, but it seems like we need maven-gpg-plugin
> >> for
> >> it [1].
> >>
> >> Algorithm configuration would look like this:
> >> <gpgArguments>
> >>     <arg>--digest-algo=SHA512</arg>
> >> </gpgArguments>
> >>
> >> Maybe this will help.
> >>
> >> [1]
> >>
> >>
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> >>
> >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> >> [hidden email]>:
> >>
> >> > Igniters,
> >> >
> >> > I've been preparing the 3.0.0-alpha1 release and got confused about
> the
> >> > requirements for checksums in Maven deployments. The Apache
> instruction
> >> [1]
> >> > states that MD5 is deprecated and SHA1 should be avoided in favor of
> >> > SHA-256 or SHA-512. However, it looks like we are still using the
> >> MD5/SHA1
> >> > combination (at least that's what the staging for 2.9.1 [2] contains).
> >> >
> >> > On top of that, I can't find an easy way to switch to another checksum
> >> > -
> >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> >> > doesn't seem to have any options to tweak this behavior.
> >> >
> >> > That said, I have two questions:
> >> >
> >> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> >> >    2. Is there a painless way to include SHA512 in addition to
> >> > MD5/SHA1?
> >> >
> >> > Can anyone shed some light on this?
> >> >
> >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> >> > [2]
> >> >
> >> >
> >>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> >> > [3]
> >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> >> >
> >> > -Val
> >> >
> >>
> >>
> >> --
> >> Sincerely yours,
> >> Ivan Bessonov
> >>
> >
>
>
> --
>
> Best regards,
> Ivan Pavlukhin
>

> Hi Ivan,
>
> No, I haven't found a way yet. SHA1 still works, but I believe we should
> consider using better options in future releases.
>
> Do you have any ideas on how to implement this?
>
> -Val
>
> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[hidden email]>
> wrote:
>
> > Folks,
> >
> > Were you able to resolve this?
> >
> > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > [hidden email]>:
> > > Hi Ivan,
> > >
> > > Thanks for your response. I've looked into the PGP plugin, and
> > > unfortunately it looks like it only can create signatures, but not
> > > checksums.
> > >
> > > -Val
> > >
> > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <[hidden email]>
> > > wrote:
> > >
> > >> Hi,
> > >>
> > >> I've never done this before, but it seems like we need
> maven-gpg-plugin
> > >> for
> > >> it [1].
> > >>
> > >> Algorithm configuration would look like this:
> > >> <gpgArguments>
> > >>     <arg>--digest-algo=SHA512</arg>
> > >> </gpgArguments>
> > >>
> > >> Maybe this will help.
> > >>
> > >> [1]
> > >>
> > >>
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > >>
> > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > >> [hidden email]>:
> > >>
> > >> > Igniters,
> > >> >
> > >> > I've been preparing the 3.0.0-alpha1 release and got confused about
> > the
> > >> > requirements for checksums in Maven deployments. The Apache
> > instruction
> > >> [1]
> > >> > states that MD5 is deprecated and SHA1 should be avoided in favor of
> > >> > SHA-256 or SHA-512. However, it looks like we are still using the
> > >> MD5/SHA1
> > >> > combination (at least that's what the staging for 2.9.1 [2]
> contains).
> > >> >
> > >> > On top of that, I can't find an easy way to switch to another
> checksum
> > >> > -
> > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> > >> > doesn't seem to have any options to tweak this behavior.
> > >> >
> > >> > That said, I have two questions:
> > >> >
> > >> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > >> >    2. Is there a painless way to include SHA512 in addition to
> > >> > MD5/SHA1?
> > >> >
> > >> > Can anyone shed some light on this?
> > >> >
> > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > >> > [2]
> > >> >
> > >> >
> > >>
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > >> > [3]
> > >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > >> >
> > >> > -Val
> > >> >
> > >>
> > >>
> > >> --
> > >> Sincerely yours,
> > >> Ivan Bessonov
> > >>
> > >
> >
> >
> > --
> >
> > Best regards,
> > Ivan Pavlukhin
> >
>

> Maybe, we could donate to maven plugin possibility to switch to SHA-512.
> Hopefully, a new plugin version will be released before we have any release
> candidate.
>
> Is it looks like a big deal?
>
> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> [hidden email]>:
>
> > Hi Ivan,
> >
> > No, I haven't found a way yet. SHA1 still works, but I believe we should
> > consider using better options in future releases.
> >
> > Do you have any ideas on how to implement this?
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[hidden email]>
> > wrote:
> >
> > > Folks,
> > >
> > > Were you able to resolve this?
> > >
> > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > [hidden email]>:
> > > > Hi Ivan,
> > > >
> > > > Thanks for your response. I've looked into the PGP plugin, and
> > > > unfortunately it looks like it only can create signatures, but not
> > > > checksums.
> > > >
> > > > -Val
> > > >
> > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> [hidden email]>
> > > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> I've never done this before, but it seems like we need
> > maven-gpg-plugin
> > > >> for
> > > >> it [1].
> > > >>
> > > >> Algorithm configuration would look like this:
> > > >> <gpgArguments>
> > > >>     <arg>--digest-algo=SHA512</arg>
> > > >> </gpgArguments>
> > > >>
> > > >> Maybe this will help.
> > > >>
> > > >> [1]
> > > >>
> > > >>
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > >>
> > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > >> [hidden email]>:
> > > >>
> > > >> > Igniters,
> > > >> >
> > > >> > I've been preparing the 3.0.0-alpha1 release and got confused
> about
> > > the
> > > >> > requirements for checksums in Maven deployments. The Apache
> > > instruction
> > > >> [1]
> > > >> > states that MD5 is deprecated and SHA1 should be avoided in favor
> of
> > > >> > SHA-256 or SHA-512. However, it looks like we are still using the
> > > >> MD5/SHA1
> > > >> > combination (at least that's what the staging for 2.9.1 [2]
> > contains).
> > > >> >
> > > >> > On top of that, I can't find an easy way to switch to another
> > checksum
> > > >> > -
> > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically
> and
> > > >> > doesn't seem to have any options to tweak this behavior.
> > > >> >
> > > >> > That said, I have two questions:
> > > >> >
> > > >> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > >> >    2. Is there a painless way to include SHA512 in addition to
> > > >> > MD5/SHA1?
> > > >> >
> > > >> > Can anyone shed some light on this?
> > > >> >
> > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > > >> > [2]
> > > >> >
> > > >> >
> > > >>
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > >> > [3]
> > > >>
> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > >> >
> > > >> > -Val
> > > >> >
> > > >>
> > > >>
> > > >> --
> > > >> Sincerely yours,
> > > >> Ivan Bessonov
> > > >>
> > > >
> > >
> > >
> > > --
> > >
> > > Best regards,
> > > Ivan Pavlukhin
> > >
> >
>

> Hi Andrey,
>
> This indeed sounds like the cleanest way. I don't know how much effort that
> would be though.
>
> -Val
>
> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> [hidden email]> wrote:
>
> > Maybe, we could donate to maven plugin possibility to switch to SHA-512.
> > Hopefully, a new plugin version will be released before we have any
> release
> > candidate.
> >
> > Is it looks like a big deal?
> >
> > ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > [hidden email]>:
> >
> > > Hi Ivan,
> > >
> > > No, I haven't found a way yet. SHA1 still works, but I believe we
> should
> > > consider using better options in future releases.
> > >
> > > Do you have any ideas on how to implement this?
> > >
> > > -Val
> > >
> > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[hidden email]>
> > > wrote:
> > >
> > > > Folks,
> > > >
> > > > Were you able to resolve this?
> > > >
> > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > > [hidden email]>:
> > > > > Hi Ivan,
> > > > >
> > > > > Thanks for your response. I've looked into the PGP plugin, and
> > > > > unfortunately it looks like it only can create signatures, but not
> > > > > checksums.
> > > > >
> > > > > -Val
> > > > >
> > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > [hidden email]>
> > > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> I've never done this before, but it seems like we need
> > > maven-gpg-plugin
> > > > >> for
> > > > >> it [1].
> > > > >>
> > > > >> Algorithm configuration would look like this:
> > > > >> <gpgArguments>
> > > > >>     <arg>--digest-algo=SHA512</arg>
> > > > >> </gpgArguments>
> > > > >>
> > > > >> Maybe this will help.
> > > > >>
> > > > >> [1]
> > > > >>
> > > > >>
> > > >
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > > >>
> > > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > > >> [hidden email]>:
> > > > >>
> > > > >> > Igniters,
> > > > >> >
> > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused
> > about
> > > > the
> > > > >> > requirements for checksums in Maven deployments. The Apache
> > > > instruction
> > > > >> [1]
> > > > >> > states that MD5 is deprecated and SHA1 should be avoided in
> favor
> > of
> > > > >> > SHA-256 or SHA-512. However, it looks like we are still using
> the
> > > > >> MD5/SHA1
> > > > >> > combination (at least that's what the staging for 2.9.1 [2]
> > > contains).
> > > > >> >
> > > > >> > On top of that, I can't find an easy way to switch to another
> > > checksum
> > > > >> > -
> > > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically
> > and
> > > > >> > doesn't seem to have any options to tweak this behavior.
> > > > >> >
> > > > >> > That said, I have two questions:
> > > > >> >
> > > > >> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > > >> >    2. Is there a painless way to include SHA512 in addition to
> > > > >> > MD5/SHA1?
> > > > >> >
> > > > >> > Can anyone shed some light on this?
> > > > >> >
> > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > > > >> > [2]
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > > >> > [3]
> > > > >>
> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > > >> >
> > > > >> > -Val
> > > > >> >
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Sincerely yours,
> > > > >> Ivan Bessonov
> > > > >>
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Best regards,
> > > > Ivan Pavlukhin
> > > >
> > >
> >
>

> Val,
>
> I've just found Maven projects use SHA-512.
> I passed through commits and found they just switched to newer parent
> org.apache:apache pom.
> I've compared our current parent pom with the latest available one
> (org.apache:apache:16 vs org.apache:apache:23)
> and then found checksum-maven-plugin was added [1] somewhen in between.
>
> So, seems we have to switched to newer apache pom and maybe add
> checksum-maven-plugin
> to our main pom.
>
> [1]
>
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>
> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> [hidden email]> wrote:
>
> > Hi Andrey,
> >
> > This indeed sounds like the cleanest way. I don't know how much effort
> that
> > would be though.
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> > [hidden email]> wrote:
> >
> > > Maybe, we could donate to maven plugin possibility to switch to
> SHA-512.
> > > Hopefully, a new plugin version will be released before we have any
> > release
> > > candidate.
> > >
> > > Is it looks like a big deal?
> > >
> > > ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > > [hidden email]>:
> > >
> > > > Hi Ivan,
> > > >
> > > > No, I haven't found a way yet. SHA1 still works, but I believe we
> > should
> > > > consider using better options in future releases.
> > > >
> > > > Do you have any ideas on how to implement this?
> > > >
> > > > -Val
> > > >
> > > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[hidden email]>
> > > > wrote:
> > > >
> > > > > Folks,
> > > > >
> > > > > Were you able to resolve this?
> > > > >
> > > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > > > [hidden email]>:
> > > > > > Hi Ivan,
> > > > > >
> > > > > > Thanks for your response. I've looked into the PGP plugin, and
> > > > > > unfortunately it looks like it only can create signatures, but
> not
> > > > > > checksums.
> > > > > >
> > > > > > -Val
> > > > > >
> > > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > > [hidden email]>
> > > > > > wrote:
> > > > > >
> > > > > >> Hi,
> > > > > >>
> > > > > >> I've never done this before, but it seems like we need
> > > > maven-gpg-plugin
> > > > > >> for
> > > > > >> it [1].
> > > > > >>
> > > > > >> Algorithm configuration would look like this:
> > > > > >> <gpgArguments>
> > > > > >>     <arg>--digest-algo=SHA512</arg>
> > > > > >> </gpgArguments>
> > > > > >>
> > > > > >> Maybe this will help.
> > > > > >>
> > > > > >> [1]
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > > > >>
> > > > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > > > >> [hidden email]>:
> > > > > >>
> > > > > >> > Igniters,
> > > > > >> >
> > > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused
> > > about
> > > > > the
> > > > > >> > requirements for checksums in Maven deployments. The Apache
> > > > > instruction
> > > > > >> [1]
> > > > > >> > states that MD5 is deprecated and SHA1 should be avoided in
> > favor
> > > of
> > > > > >> > SHA-256 or SHA-512. However, it looks like we are still using
> > the
> > > > > >> MD5/SHA1
> > > > > >> > combination (at least that's what the staging for 2.9.1 [2]
> > > > contains).
> > > > > >> >
> > > > > >> > On top of that, I can't find an easy way to switch to another
> > > > checksum
> > > > > >> > -
> > > > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files
> automatically
> > > and
> > > > > >> > doesn't seem to have any options to tweak this behavior.
> > > > > >> >
> > > > > >> > That said, I have two questions:
> > > > > >> >
> > > > > >> >    1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > > > >> >    2. Is there a painless way to include SHA512 in addition to
> > > > > >> > MD5/SHA1?
> > > > > >> >
> > > > > >> > Can anyone shed some light on this?
> > > > > >> >
> > > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > > > > >> > [2]
> > > > > >> >
> > > > > >> >
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > > > >> > [3]
> > > > > >>
> > > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > > > >> >
> > > > > >> > -Val
> > > > > >> >
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> Sincerely yours,
> > > > > >> Ivan Bessonov
> > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Best regards,
> > > > > Ivan Pavlukhin
> > > > >
> > > >
> > >
> >
>
>
> --
> Best regards,
> Andrey V. Mashenkov
>

> On 14 Jan 2021, at 01:57, Valentin Kulichenko <[hidden email]> wrote:
>
> Andrey,
>
> This sounds even better. Can you create a ticket for this change?
>
> -Val
>
> On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <[hidden email]>
> wrote:
>
>> Val,
>>
>> I've just found Maven projects use SHA-512.
>> I passed through commits and found they just switched to newer parent
>> org.apache:apache pom.
>> I've compared our current parent pom with the latest available one
>> (org.apache:apache:16 vs org.apache:apache:23)
>> and then found checksum-maven-plugin was added [1] somewhen in between.
>>
>> So, seems we have to switched to newer apache pom and maybe add
>> checksum-maven-plugin
>> to our main pom.
>>
>> [1]
>>
>> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>>
>> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
>> [hidden email]> wrote:
>>
>>> Hi Andrey,
>>>
>>> This indeed sounds like the cleanest way. I don't know how much effort
>> that
>>> would be though.
>>>
>>> -Val
>>>
>>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
>>> [hidden email]> wrote:
>>>
>>>> Maybe, we could donate to maven plugin possibility to switch to
>> SHA-512.
>>>> Hopefully, a new plugin version will be released before we have any
>>> release
>>>> candidate.
>>>>
>>>> Is it looks like a big deal?
>>>>
>>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
>>>> [hidden email]>:
>>>>
>>>>> Hi Ivan,
>>>>>
>>>>> No, I haven't found a way yet. SHA1 still works, but I believe we
>>> should
>>>>> consider using better options in future releases.
>>>>>
>>>>> Do you have any ideas on how to implement this?
>>>>>
>>>>> -Val
>>>>>
>>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[hidden email]>
>>>>> wrote:
>>>>>
>>>>>> Folks,
>>>>>>
>>>>>> Were you able to resolve this?
>>>>>>
>>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
>>>>>> [hidden email]>:
>>>>>>> Hi Ivan,
>>>>>>>
>>>>>>> Thanks for your response. I've looked into the PGP plugin, and
>>>>>>> unfortunately it looks like it only can create signatures, but
>> not
>>>>>>> checksums.
>>>>>>>
>>>>>>> -Val
>>>>>>>
>>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
>>>> [hidden email]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I've never done this before, but it seems like we need
>>>>> maven-gpg-plugin
>>>>>>>> for
>>>>>>>> it [1].
>>>>>>>>
>>>>>>>> Algorithm configuration would look like this:
>>>>>>>> <gpgArguments>
>>>>>>>>    <arg>--digest-algo=SHA512</arg>
>>>>>>>> </gpgArguments>
>>>>>>>>
>>>>>>>> Maybe this will help.
>>>>>>>>
>>>>>>>> [1]
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>>>>>>>>
>>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
>>>>>>>> [hidden email]>:
>>>>>>>>
>>>>>>>>> Igniters,
>>>>>>>>>
>>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused
>>>> about
>>>>>> the
>>>>>>>>> requirements for checksums in Maven deployments. The Apache
>>>>>> instruction
>>>>>>>> [1]
>>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in
>>> favor
>>>> of
>>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using
>>> the
>>>>>>>> MD5/SHA1
>>>>>>>>> combination (at least that's what the staging for 2.9.1 [2]
>>>>> contains).
>>>>>>>>>
>>>>>>>>> On top of that, I can't find an easy way to switch to another
>>>>> checksum
>>>>>>>>> -
>>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files
>> automatically
>>>> and
>>>>>>>>> doesn't seem to have any options to tweak this behavior.
>>>>>>>>>
>>>>>>>>> That said, I have two questions:
>>>>>>>>>
>>>>>>>>>   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
>>>>>>>>>   2. Is there a painless way to include SHA512 in addition to
>>>>>>>>> MD5/SHA1?
>>>>>>>>>
>>>>>>>>> Can anyone shed some light on this?
>>>>>>>>>
>>>>>>>>> [1] https://infra.apache.org/release-signing.html#basic-facts
>>>>>>>>> [2]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
>>>>>>>>> [3]
>>>>>>>>
>>>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>>>>>>>>>
>>>>>>>>> -Val
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sincerely yours,
>>>>>>>> Ivan Bessonov
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Best regards,
>>>>>> Ivan Pavlukhin
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Best regards,
>> Andrey V. Mashenkov
>>

> Is seems that parent is already updated in
> https://issues.apache.org/jira/browse/IGNITE-13987 <
> https://issues.apache.org/jira/browse/IGNITE-13987>
>
>
>
> > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> [hidden email]> wrote:
> >
> > Andrey,
> >
> > This sounds even better. Can you create a ticket for this change?
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> [hidden email]>
> > wrote:
> >
> >> Val,
> >>
> >> I've just found Maven projects use SHA-512.
> >> I passed through commits and found they just switched to newer parent
> >> org.apache:apache pom.
> >> I've compared our current parent pom with the latest available one
> >> (org.apache:apache:16 vs org.apache:apache:23)
> >> and then found checksum-maven-plugin was added [1] somewhen in between.
> >>
> >> So, seems we have to switched to newer apache pom and maybe add
> >> checksum-maven-plugin
> >> to our main pom.
> >>
> >> [1]
> >>
> >>
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
> >>
> >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> >> [hidden email]> wrote:
> >>
> >>> Hi Andrey,
> >>>
> >>> This indeed sounds like the cleanest way. I don't know how much effort
> >> that
> >>> would be though.
> >>>
> >>> -Val
> >>>
> >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> >>> [hidden email]> wrote:
> >>>
> >>>> Maybe, we could donate to maven plugin possibility to switch to
> >> SHA-512.
> >>>> Hopefully, a new plugin version will be released before we have any
> >>> release
> >>>> candidate.
> >>>>
> >>>> Is it looks like a big deal?
> >>>>
> >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> >>>> [hidden email]>:
> >>>>
> >>>>> Hi Ivan,
> >>>>>
> >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we
> >>> should
> >>>>> consider using better options in future releases.
> >>>>>
> >>>>> Do you have any ideas on how to implement this?
> >>>>>
> >>>>> -Val
> >>>>>
> >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[hidden email]>
> >>>>> wrote:
> >>>>>
> >>>>>> Folks,
> >>>>>>
> >>>>>> Were you able to resolve this?
> >>>>>>
> >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> >>>>>> [hidden email]>:
> >>>>>>> Hi Ivan,
> >>>>>>>
> >>>>>>> Thanks for your response. I've looked into the PGP plugin, and
> >>>>>>> unfortunately it looks like it only can create signatures, but
> >> not
> >>>>>>> checksums.
> >>>>>>>
> >>>>>>> -Val
> >>>>>>>
> >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> >>>> [hidden email]>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> I've never done this before, but it seems like we need
> >>>>> maven-gpg-plugin
> >>>>>>>> for
> >>>>>>>> it [1].
> >>>>>>>>
> >>>>>>>> Algorithm configuration would look like this:
> >>>>>>>> <gpgArguments>
> >>>>>>>>    <arg>--digest-algo=SHA512</arg>
> >>>>>>>> </gpgArguments>
> >>>>>>>>
> >>>>>>>> Maybe this will help.
> >>>>>>>>
> >>>>>>>> [1]
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> >>>>>>>>
> >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> >>>>>>>> [hidden email]>:
> >>>>>>>>
> >>>>>>>>> Igniters,
> >>>>>>>>>
> >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused
> >>>> about
> >>>>>> the
> >>>>>>>>> requirements for checksums in Maven deployments. The Apache
> >>>>>> instruction
> >>>>>>>> [1]
> >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in
> >>> favor
> >>>> of
> >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using
> >>> the
> >>>>>>>> MD5/SHA1
> >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2]
> >>>>> contains).
> >>>>>>>>>
> >>>>>>>>> On top of that, I can't find an easy way to switch to another
> >>>>> checksum
> >>>>>>>>> -
> >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files
> >> automatically
> >>>> and
> >>>>>>>>> doesn't seem to have any options to tweak this behavior.
> >>>>>>>>>
> >>>>>>>>> That said, I have two questions:
> >>>>>>>>>
> >>>>>>>>>   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> >>>>>>>>>   2. Is there a painless way to include SHA512 in addition to
> >>>>>>>>> MD5/SHA1?
> >>>>>>>>>
> >>>>>>>>> Can anyone shed some light on this?
> >>>>>>>>>
> >>>>>>>>> [1] https://infra.apache.org/release-signing.html#basic-facts
> >>>>>>>>> [2]
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> >>>>>>>>> [3]
> >>>>>>>>
> >>>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> >>>>>>>>>
> >>>>>>>>> -Val
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Sincerely yours,
> >>>>>>>> Ivan Bessonov
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> Best regards,
> >>>>>> Ivan Pavlukhin
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> >>
> >> --
> >> Best regards,
> >> Andrey V. Mashenkov
> >>
>
>

> I've made "mvn clean install" with enabled "apache-release" profile and see
> *.sha-512 checksum files in target directories.
> So, upgrading to the latest apache parent looks sufficient.
>
>
> On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <[hidden email]> wrote:
>
> > Is seems that parent is already updated in
> > https://issues.apache.org/jira/browse/IGNITE-13987 <
> > https://issues.apache.org/jira/browse/IGNITE-13987>
> >
> >
> >
> > > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> > [hidden email]> wrote:
> > >
> > > Andrey,
> > >
> > > This sounds even better. Can you create a ticket for this change?
> > >
> > > -Val
> > >
> > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> > [hidden email]>
> > > wrote:
> > >
> > >> Val,
> > >>
> > >> I've just found Maven projects use SHA-512.
> > >> I passed through commits and found they just switched to newer parent
> > >> org.apache:apache pom.
> > >> I've compared our current parent pom with the latest available one
> > >> (org.apache:apache:16 vs org.apache:apache:23)
> > >> and then found checksum-maven-plugin was added [1] somewhen in
> between.
> > >>
> > >> So, seems we have to switched to newer apache pom and maybe add
> > >> checksum-maven-plugin
> > >> to our main pom.
> > >>
> > >> [1]
> > >>
> > >>
> >
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
> > >>
> > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> > >> [hidden email]> wrote:
> > >>
> > >>> Hi Andrey,
> > >>>
> > >>> This indeed sounds like the cleanest way. I don't know how much
> effort
> > >> that
> > >>> would be though.
> > >>>
> > >>> -Val
> > >>>
> > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> > >>> [hidden email]> wrote:
> > >>>
> > >>>> Maybe, we could donate to maven plugin possibility to switch to
> > >> SHA-512.
> > >>>> Hopefully, a new plugin version will be released before we have any
> > >>> release
> > >>>> candidate.
> > >>>>
> > >>>> Is it looks like a big deal?
> > >>>>
> > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > >>>> [hidden email]>:
> > >>>>
> > >>>>> Hi Ivan,
> > >>>>>
> > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we
> > >>> should
> > >>>>> consider using better options in future releases.
> > >>>>>
> > >>>>> Do you have any ideas on how to implement this?
> > >>>>>
> > >>>>> -Val
> > >>>>>
> > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
> [hidden email]>
> > >>>>> wrote:
> > >>>>>
> > >>>>>> Folks,
> > >>>>>>
> > >>>>>> Were you able to resolve this?
> > >>>>>>
> > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > >>>>>> [hidden email]>:
> > >>>>>>> Hi Ivan,
> > >>>>>>>
> > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and
> > >>>>>>> unfortunately it looks like it only can create signatures, but
> > >> not
> > >>>>>>> checksums.
> > >>>>>>>
> > >>>>>>> -Val
> > >>>>>>>
> > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > >>>> [hidden email]>
> > >>>>>>> wrote:
> > >>>>>>>
> > >>>>>>>> Hi,
> > >>>>>>>>
> > >>>>>>>> I've never done this before, but it seems like we need
> > >>>>> maven-gpg-plugin
> > >>>>>>>> for
> > >>>>>>>> it [1].
> > >>>>>>>>
> > >>>>>>>> Algorithm configuration would look like this:
> > >>>>>>>> <gpgArguments>
> > >>>>>>>>    <arg>--digest-algo=SHA512</arg>
> > >>>>>>>> </gpgArguments>
> > >>>>>>>>
> > >>>>>>>> Maybe this will help.
> > >>>>>>>>
> > >>>>>>>> [1]
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > >>>>>>>>
> > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > >>>>>>>> [hidden email]>:
> > >>>>>>>>
> > >>>>>>>>> Igniters,
> > >>>>>>>>>
> > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused
> > >>>> about
> > >>>>>> the
> > >>>>>>>>> requirements for checksums in Maven deployments. The Apache
> > >>>>>> instruction
> > >>>>>>>> [1]
> > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in
> > >>> favor
> > >>>> of
> > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using
> > >>> the
> > >>>>>>>> MD5/SHA1
> > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2]
> > >>>>> contains).
> > >>>>>>>>>
> > >>>>>>>>> On top of that, I can't find an easy way to switch to another
> > >>>>> checksum
> > >>>>>>>>> -
> > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files
> > >> automatically
> > >>>> and
> > >>>>>>>>> doesn't seem to have any options to tweak this behavior.
> > >>>>>>>>>
> > >>>>>>>>> That said, I have two questions:
> > >>>>>>>>>
> > >>>>>>>>>   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > >>>>>>>>>   2. Is there a painless way to include SHA512 in addition to
> > >>>>>>>>> MD5/SHA1?
> > >>>>>>>>>
> > >>>>>>>>> Can anyone shed some light on this?
> > >>>>>>>>>
> > >>>>>>>>> [1] https://infra.apache.org/release-signing.html#basic-facts
> > >>>>>>>>> [2]
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > >>>>>>>>> [3]
> > >>>>>>>>
> > >>>>
> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > >>>>>>>>>
> > >>>>>>>>> -Val
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Sincerely yours,
> > >>>>>>>> Ivan Bessonov
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> --
> > >>>>>>
> > >>>>>> Best regards,
> > >>>>>> Ivan Pavlukhin
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> > >>
> > >> --
> > >> Best regards,
> > >> Andrey V. Mashenkov
> > >>
> >
> >
>
> --
> Best regards,
> Andrey V. Mashenkov
>

> Andrey,
>
> Did you try on the 2.x or 3.x?
>
> I've just tried to do the same in ignite-3, but it didn't work for me. I've
> updated the parent pom version to 23 and ran "mvn clean deploy
> -Papache-release". The source package is now signed with SHA512, which is
> good, but there was no effect on the JAR artifacts. As a matter of fact, I
> don't see any checksum files for them. My guess is that by default they are
> generated by the deploy plugin, during the upload to Maven. Here is the
> resulting staging (still MD5 and SHA1):
> https://repository.apache.org/content/repositories/orgapacheignite-1505/
>
> Does it behave in the same way for you?
>
> -Val
>
> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov <
> [hidden email]>
> wrote:
>
> > I've made "mvn clean install" with enabled "apache-release" profile and
> see
> > *.sha-512 checksum files in target directories.
> > So, upgrading to the latest apache parent looks sufficient.
> >
> >
> > On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <[hidden email]>
> wrote:
> >
> > > Is seems that parent is already updated in
> > > https://issues.apache.org/jira/browse/IGNITE-13987 <
> > > https://issues.apache.org/jira/browse/IGNITE-13987>
> > >
> > >
> > >
> > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> > > [hidden email]> wrote:
> > > >
> > > > Andrey,
> > > >
> > > > This sounds even better. Can you create a ticket for this change?
> > > >
> > > > -Val
> > > >
> > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> > > [hidden email]>
> > > > wrote:
> > > >
> > > >> Val,
> > > >>
> > > >> I've just found Maven projects use SHA-512.
> > > >> I passed through commits and found they just switched to newer
> parent
> > > >> org.apache:apache pom.
> > > >> I've compared our current parent pom with the latest available one
> > > >> (org.apache:apache:16 vs org.apache:apache:23)
> > > >> and then found checksum-maven-plugin was added [1] somewhen in
> > between.
> > > >>
> > > >> So, seems we have to switched to newer apache pom and maybe add
> > > >> checksum-maven-plugin
> > > >> to our main pom.
> > > >>
> > > >> [1]
> > > >>
> > > >>
> > >
> >
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
> > > >>
> > > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> > > >> [hidden email]> wrote:
> > > >>
> > > >>> Hi Andrey,
> > > >>>
> > > >>> This indeed sounds like the cleanest way. I don't know how much
> > effort
> > > >> that
> > > >>> would be though.
> > > >>>
> > > >>> -Val
> > > >>>
> > > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> > > >>> [hidden email]> wrote:
> > > >>>
> > > >>>> Maybe, we could donate to maven plugin possibility to switch to
> > > >> SHA-512.
> > > >>>> Hopefully, a new plugin version will be released before we have
> any
> > > >>> release
> > > >>>> candidate.
> > > >>>>
> > > >>>> Is it looks like a big deal?
> > > >>>>
> > > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > > >>>> [hidden email]>:
> > > >>>>
> > > >>>>> Hi Ivan,
> > > >>>>>
> > > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we
> > > >>> should
> > > >>>>> consider using better options in future releases.
> > > >>>>>
> > > >>>>> Do you have any ideas on how to implement this?
> > > >>>>>
> > > >>>>> -Val
> > > >>>>>
> > > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
> > [hidden email]>
> > > >>>>> wrote:
> > > >>>>>
> > > >>>>>> Folks,
> > > >>>>>>
> > > >>>>>> Were you able to resolve this?
> > > >>>>>>
> > > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > >>>>>> [hidden email]>:
> > > >>>>>>> Hi Ivan,
> > > >>>>>>>
> > > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and
> > > >>>>>>> unfortunately it looks like it only can create signatures, but
> > > >> not
> > > >>>>>>> checksums.
> > > >>>>>>>
> > > >>>>>>> -Val
> > > >>>>>>>
> > > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > > >>>> [hidden email]>
> > > >>>>>>> wrote:
> > > >>>>>>>
> > > >>>>>>>> Hi,
> > > >>>>>>>>
> > > >>>>>>>> I've never done this before, but it seems like we need
> > > >>>>> maven-gpg-plugin
> > > >>>>>>>> for
> > > >>>>>>>> it [1].
> > > >>>>>>>>
> > > >>>>>>>> Algorithm configuration would look like this:
> > > >>>>>>>> <gpgArguments>
> > > >>>>>>>>    <arg>--digest-algo=SHA512</arg>
> > > >>>>>>>> </gpgArguments>
> > > >>>>>>>>
> > > >>>>>>>> Maybe this will help.
> > > >>>>>>>>
> > > >>>>>>>> [1]
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>>
> > > >>
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > >>>>>>>>
> > > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > >>>>>>>> [hidden email]>:
> > > >>>>>>>>
> > > >>>>>>>>> Igniters,
> > > >>>>>>>>>
> > > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused
> > > >>>> about
> > > >>>>>> the
> > > >>>>>>>>> requirements for checksums in Maven deployments. The Apache
> > > >>>>>> instruction
> > > >>>>>>>> [1]
> > > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in
> > > >>> favor
> > > >>>> of
> > > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using
> > > >>> the
> > > >>>>>>>> MD5/SHA1
> > > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2]
> > > >>>>> contains).
> > > >>>>>>>>>
> > > >>>>>>>>> On top of that, I can't find an easy way to switch to another
> > > >>>>> checksum
> > > >>>>>>>>> -
> > > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files
> > > >> automatically
> > > >>>> and
> > > >>>>>>>>> doesn't seem to have any options to tweak this behavior.
> > > >>>>>>>>>
> > > >>>>>>>>> That said, I have two questions:
> > > >>>>>>>>>
> > > >>>>>>>>>   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > >>>>>>>>>   2. Is there a painless way to include SHA512 in addition to
> > > >>>>>>>>> MD5/SHA1?
> > > >>>>>>>>>
> > > >>>>>>>>> Can anyone shed some light on this?
> > > >>>>>>>>>
> > > >>>>>>>>> [1]
> https://infra.apache.org/release-signing.html#basic-facts
> > > >>>>>>>>> [2]
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>>
> > > >>
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > >>>>>>>>> [3]
> > > >>>>>>>>
> > > >>>>
> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > >>>>>>>>>
> > > >>>>>>>>> -Val
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Sincerely yours,
> > > >>>>>>>> Ivan Bessonov
> > > >>>>>>>>
> > > >>>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> --
> > > >>>>>>
> > > >>>>>> Best regards,
> > > >>>>>> Ivan Pavlukhin
> > > >>>>>>
> > > >>>>>
> > > >>>>
> > > >>>
> > > >>
> > > >>
> > > >> --
> > > >> Best regards,
> > > >> Andrey V. Mashenkov
> > > >>
> > >
> > >
> >
> > --
> > Best regards,
> > Andrey V. Mashenkov
> >
>

> Val, I didn't found the way to make a local deploy. So I just make
> 'install'.
>
> Yes you are right, only source jar is signed.
> Seems, we need to configure checksum plugin for signing binary jars as it
> is done in Maven-parent or any other project.
>
> чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko <
> [hidden email]>:
>
>> Andrey,
>>
>> Did you try on the 2.x or 3.x?
>>
>> I've just tried to do the same in ignite-3, but it didn't work for me.
>> I've
>> updated the parent pom version to 23 and ran "mvn clean deploy
>> -Papache-release". The source package is now signed with SHA512, which is
>> good, but there was no effect on the JAR artifacts. As a matter of fact, I
>> don't see any checksum files for them. My guess is that by default they
>> are
>> generated by the deploy plugin, during the upload to Maven. Here is the
>> resulting staging (still MD5 and SHA1):
>> https://repository.apache.org/content/repositories/orgapacheignite-1505/
>>
>> Does it behave in the same way for you?
>>
>> -Val
>>
>> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov <
>> [hidden email]>
>> wrote:
>>
>> > I've made "mvn clean install" with enabled "apache-release" profile and
>> see
>> > *.sha-512 checksum files in target directories.
>> > So, upgrading to the latest apache parent looks sufficient.
>> >
>> >
>> > On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <[hidden email]>
>> wrote:
>> >
>> > > Is seems that parent is already updated in
>> > > https://issues.apache.org/jira/browse/IGNITE-13987 <
>> > > https://issues.apache.org/jira/browse/IGNITE-13987>
>> > >
>> > >
>> > >
>> > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
>> > > [hidden email]> wrote:
>> > > >
>> > > > Andrey,
>> > > >
>> > > > This sounds even better. Can you create a ticket for this change?
>> > > >
>> > > > -Val
>> > > >
>> > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
>> > > [hidden email]>
>> > > > wrote:
>> > > >
>> > > >> Val,
>> > > >>
>> > > >> I've just found Maven projects use SHA-512.
>> > > >> I passed through commits and found they just switched to newer
>> parent
>> > > >> org.apache:apache pom.
>> > > >> I've compared our current parent pom with the latest available one
>> > > >> (org.apache:apache:16 vs org.apache:apache:23)
>> > > >> and then found checksum-maven-plugin was added [1] somewhen in
>> > between.
>> > > >>
>> > > >> So, seems we have to switched to newer apache pom and maybe add
>> > > >> checksum-maven-plugin
>> > > >> to our main pom.
>> > > >>
>> > > >> [1]
>> > > >>
>> > > >>
>> > >
>> >
>> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>> > > >>
>> > > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
>> > > >> [hidden email]> wrote:
>> > > >>
>> > > >>> Hi Andrey,
>> > > >>>
>> > > >>> This indeed sounds like the cleanest way. I don't know how much
>> > effort
>> > > >> that
>> > > >>> would be though.
>> > > >>>
>> > > >>> -Val
>> > > >>>
>> > > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
>> > > >>> [hidden email]> wrote:
>> > > >>>
>> > > >>>> Maybe, we could donate to maven plugin possibility to switch to
>> > > >> SHA-512.
>> > > >>>> Hopefully, a new plugin version will be released before we have
>> any
>> > > >>> release
>> > > >>>> candidate.
>> > > >>>>
>> > > >>>> Is it looks like a big deal?
>> > > >>>>
>> > > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
>> > > >>>> [hidden email]>:
>> > > >>>>
>> > > >>>>> Hi Ivan,
>> > > >>>>>
>> > > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe
>> we
>> > > >>> should
>> > > >>>>> consider using better options in future releases.
>> > > >>>>>
>> > > >>>>> Do you have any ideas on how to implement this?
>> > > >>>>>
>> > > >>>>> -Val
>> > > >>>>>
>> > > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
>> > [hidden email]>
>> > > >>>>> wrote:
>> > > >>>>>
>> > > >>>>>> Folks,
>> > > >>>>>>
>> > > >>>>>> Were you able to resolve this?
>> > > >>>>>>
>> > > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
>> > > >>>>>> [hidden email]>:
>> > > >>>>>>> Hi Ivan,
>> > > >>>>>>>
>> > > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and
>> > > >>>>>>> unfortunately it looks like it only can create signatures, but
>> > > >> not
>> > > >>>>>>> checksums.
>> > > >>>>>>>
>> > > >>>>>>> -Val
>> > > >>>>>>>
>> > > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
>> > > >>>> [hidden email]>
>> > > >>>>>>> wrote:
>> > > >>>>>>>
>> > > >>>>>>>> Hi,
>> > > >>>>>>>>
>> > > >>>>>>>> I've never done this before, but it seems like we need
>> > > >>>>> maven-gpg-plugin
>> > > >>>>>>>> for
>> > > >>>>>>>> it [1].
>> > > >>>>>>>>
>> > > >>>>>>>> Algorithm configuration would look like this:
>> > > >>>>>>>> <gpgArguments>
>> > > >>>>>>>>    <arg>--digest-algo=SHA512</arg>
>> > > >>>>>>>> </gpgArguments>
>> > > >>>>>>>>
>> > > >>>>>>>> Maybe this will help.
>> > > >>>>>>>>
>> > > >>>>>>>> [1]
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>
>> > > >>>>>
>> > > >>>>
>> > > >>>
>> > > >>
>> > >
>> >
>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>> > > >>>>>>>>
>> > > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
>> > > >>>>>>>> [hidden email]>:
>> > > >>>>>>>>
>> > > >>>>>>>>> Igniters,
>> > > >>>>>>>>>
>> > > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got
>> confused
>> > > >>>> about
>> > > >>>>>> the
>> > > >>>>>>>>> requirements for checksums in Maven deployments. The Apache
>> > > >>>>>> instruction
>> > > >>>>>>>> [1]
>> > > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in
>> > > >>> favor
>> > > >>>> of
>> > > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still
>> using
>> > > >>> the
>> > > >>>>>>>> MD5/SHA1
>> > > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2]
>> > > >>>>> contains).
>> > > >>>>>>>>>
>> > > >>>>>>>>> On top of that, I can't find an easy way to switch to
>> another
>> > > >>>>> checksum
>> > > >>>>>>>>> -
>> > > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files
>> > > >> automatically
>> > > >>>> and
>> > > >>>>>>>>> doesn't seem to have any options to tweak this behavior.
>> > > >>>>>>>>>
>> > > >>>>>>>>> That said, I have two questions:
>> > > >>>>>>>>>
>> > > >>>>>>>>>   1. Are we required to use SHA512 or MD5/SHA1 is OK for
>> now?
>> > > >>>>>>>>>   2. Is there a painless way to include SHA512 in addition
>> to
>> > > >>>>>>>>> MD5/SHA1?
>> > > >>>>>>>>>
>> > > >>>>>>>>> Can anyone shed some light on this?
>> > > >>>>>>>>>
>> > > >>>>>>>>> [1]
>> https://infra.apache.org/release-signing.html#basic-facts
>> > > >>>>>>>>> [2]
>> > > >>>>>>>>>
>> > > >>>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>
>> > > >>>>>
>> > > >>>>
>> > > >>>
>> > > >>
>> > >
>> >
>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
>> > > >>>>>>>>> [3]
>> > > >>>>>>>>
>> > > >>>>
>> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>> > > >>>>>>>>>
>> > > >>>>>>>>> -Val
>> > > >>>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Sincerely yours,
>> > > >>>>>>>> Ivan Bessonov
>> > > >>>>>>>>
>> > > >>>>>>>
>> > > >>>>>>
>> > > >>>>>>
>> > > >>>>>> --
>> > > >>>>>>
>> > > >>>>>> Best regards,
>> > > >>>>>> Ivan Pavlukhin
>> > > >>>>>>
>> > > >>>>>
>> > > >>>>
>> > > >>>
>> > > >>
>> > > >>
>> > > >> --
>> > > >> Best regards,
>> > > >> Andrey V. Mashenkov
>> > > >>
>> > >
>> > >
>> >
>> > --
>> > Best regards,
>> > Andrey V. Mashenkov
>> >
>>
>

> On 15 Jan 2021, at 12:37, Andrey Mashenkov <[hidden email]> wrote:
>
> I've created a ticket for the issue [1].
> Someone who fully understands the release process may pick it up.
>
> [1] https://issues.apache.org/jira/browse/IGNITE-13999
>
> On Fri, Jan 15, 2021 at 12:01 AM Andrey Mashenkov <
> [hidden email]> wrote:
>
>> Val, I didn't found the way to make a local deploy. So I just make
>> 'install'.
>>
>> Yes you are right, only source jar is signed.
>> Seems, we need to configure checksum plugin for signing binary jars as it
>> is done in Maven-parent or any other project.
>>
>> чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko <
>> [hidden email]>:
>>
>>> Andrey,
>>>
>>> Did you try on the 2.x or 3.x?
>>>
>>> I've just tried to do the same in ignite-3, but it didn't work for me.
>>> I've
>>> updated the parent pom version to 23 and ran "mvn clean deploy
>>> -Papache-release". The source package is now signed with SHA512, which is
>>> good, but there was no effect on the JAR artifacts. As a matter of fact, I
>>> don't see any checksum files for them. My guess is that by default they
>>> are
>>> generated by the deploy plugin, during the upload to Maven. Here is the
>>> resulting staging (still MD5 and SHA1):
>>> https://repository.apache.org/content/repositories/orgapacheignite-1505/
>>>
>>> Does it behave in the same way for you?
>>>
>>> -Val
>>>
>>> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov <
>>> [hidden email]>
>>> wrote:
>>>
>>>> I've made "mvn clean install" with enabled "apache-release" profile and
>>> see
>>>> *.sha-512 checksum files in target directories.
>>>> So, upgrading to the latest apache parent looks sufficient.
>>>>
>>>>
>>>> On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <[hidden email]>
>>> wrote:
>>>>
>>>>> Is seems that parent is already updated in
>>>>> https://issues.apache.org/jira/browse/IGNITE-13987 <
>>>>> https://issues.apache.org/jira/browse/IGNITE-13987>
>>>>>
>>>>>
>>>>>
>>>>>> On 14 Jan 2021, at 01:57, Valentin Kulichenko <
>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> Andrey,
>>>>>>
>>>>>> This sounds even better. Can you create a ticket for this change?
>>>>>>
>>>>>> -Val
>>>>>>
>>>>>> On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
>>>>> [hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>>> Val,
>>>>>>>
>>>>>>> I've just found Maven projects use SHA-512.
>>>>>>> I passed through commits and found they just switched to newer
>>> parent
>>>>>>> org.apache:apache pom.
>>>>>>> I've compared our current parent pom with the latest available one
>>>>>>> (org.apache:apache:16 vs org.apache:apache:23)
>>>>>>> and then found checksum-maven-plugin was added [1] somewhen in
>>>> between.
>>>>>>>
>>>>>>> So, seems we have to switched to newer apache pom and maybe add
>>>>>>> checksum-maven-plugin
>>>>>>> to our main pom.
>>>>>>>
>>>>>>> [1]
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>>>>>>>
>>>>>>> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>>> Hi Andrey,
>>>>>>>>
>>>>>>>> This indeed sounds like the cleanest way. I don't know how much
>>>> effort
>>>>>>> that
>>>>>>>> would be though.
>>>>>>>>
>>>>>>>> -Val
>>>>>>>>
>>>>>>>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
>>>>>>>> [hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Maybe, we could donate to maven plugin possibility to switch to
>>>>>>> SHA-512.
>>>>>>>>> Hopefully, a new plugin version will be released before we have
>>> any
>>>>>>>> release
>>>>>>>>> candidate.
>>>>>>>>>
>>>>>>>>> Is it looks like a big deal?
>>>>>>>>>
>>>>>>>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
>>>>>>>>> [hidden email]>:
>>>>>>>>>
>>>>>>>>>> Hi Ivan,
>>>>>>>>>>
>>>>>>>>>> No, I haven't found a way yet. SHA1 still works, but I believe
>>> we
>>>>>>>> should
>>>>>>>>>> consider using better options in future releases.
>>>>>>>>>>
>>>>>>>>>> Do you have any ideas on how to implement this?
>>>>>>>>>>
>>>>>>>>>> -Val
>>>>>>>>>>
>>>>>>>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
>>>> [hidden email]>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Folks,
>>>>>>>>>>>
>>>>>>>>>>> Were you able to resolve this?
>>>>>>>>>>>
>>>>>>>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
>>>>>>>>>>> [hidden email]>:
>>>>>>>>>>>> Hi Ivan,
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for your response. I've looked into the PGP plugin, and
>>>>>>>>>>>> unfortunately it looks like it only can create signatures, but
>>>>>>> not
>>>>>>>>>>>> checksums.
>>>>>>>>>>>>
>>>>>>>>>>>> -Val
>>>>>>>>>>>>
>>>>>>>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
>>>>>>>>> [hidden email]>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've never done this before, but it seems like we need
>>>>>>>>>> maven-gpg-plugin
>>>>>>>>>>>>> for
>>>>>>>>>>>>> it [1].
>>>>>>>>>>>>>
>>>>>>>>>>>>> Algorithm configuration would look like this:
>>>>>>>>>>>>> <gpgArguments>
>>>>>>>>>>>>>   <arg>--digest-algo=SHA512</arg>
>>>>>>>>>>>>> </gpgArguments>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Maybe this will help.
>>>>>>>>>>>>>
>>>>>>>>>>>>> [1]
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>>>>>>>>>>>>>
>>>>>>>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
>>>>>>>>>>>>> [hidden email]>:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Igniters,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got
>>> confused
>>>>>>>>> about
>>>>>>>>>>> the
>>>>>>>>>>>>>> requirements for checksums in Maven deployments. The Apache
>>>>>>>>>>> instruction
>>>>>>>>>>>>> [1]
>>>>>>>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in
>>>>>>>> favor
>>>>>>>>> of
>>>>>>>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still
>>> using
>>>>>>>> the
>>>>>>>>>>>>> MD5/SHA1
>>>>>>>>>>>>>> combination (at least that's what the staging for 2.9.1 [2]
>>>>>>>>>> contains).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On top of that, I can't find an easy way to switch to
>>> another
>>>>>>>>>> checksum
>>>>>>>>>>>>>> -
>>>>>>>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files
>>>>>>> automatically
>>>>>>>>> and
>>>>>>>>>>>>>> doesn't seem to have any options to tweak this behavior.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That said, I have two questions:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  1. Are we required to use SHA512 or MD5/SHA1 is OK for
>>> now?
>>>>>>>>>>>>>>  2. Is there a painless way to include SHA512 in addition
>>> to
>>>>>>>>>>>>>> MD5/SHA1?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Can anyone shed some light on this?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [1]
>>> https://infra.apache.org/release-signing.html#basic-facts
>>>>>>>>>>>>>> [2]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
>>>>>>>>>>>>>> [3]
>>>>>>>>>>>>>
>>>>>>>>>
>>>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -Val
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Sincerely yours,
>>>>>>>>>>>>> Ivan Bessonov
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Best regards,
>>>>>>>>>>> Ivan Pavlukhin
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Best regards,
>>>>>>> Andrey V. Mashenkov
>>>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Best regards,
>>>> Andrey V. Mashenkov
>>>>
>>>
>>
>
> --
> Best regards,
> Andrey V. Mashenkov