The maven-publish plugin generates MD5 und SHA1 checksum files for all artifacts by default. But is there any way to make the plugin generate secure checksum files (SHA512 would be preferred)?
This is pretty easy to reproduce. I just initialized a new java-library project and added the maven-publish plugin and it's configuration
build.gradle:
apply plugin: 'java'
apply plugin: 'maven-publish'
repositories {
jcenter()
}
dependencies {
}
publishing {
repositories {
maven {
url rootProject.buildDir.path + '/repo'
}
}
publications {
mavenJava(MavenPublication) {
groupId = 'org.gradle.sample'
artifactId = 'project1-sample'
version = '1.1'
from components.java
}
}
}
I already consulted the gradle documentation and javadoc, but was not able to find any hints on the checksum files at all. I know I can generate checksums for the artifacts pretty easily using the ANT checksum task like this
doLast {
ant.checksum(file: archivePath, algorithm: "SHA-512")
}
But I would somehow need to place them in the correct folder aside the actual artifacts "manually", which is something I'd like to avoid.
EDIT:
If it's not possible to specify the checksum algorithm, is it somehow possible to hook into the publish task and add a custom checksum file to the artifact destination folders? I don't want add the checksum files themselves as artifacts as there would be MD5 and SHA1 checksums for the checksums, which makes no sense.
Gradle 6.0 released in November 2019 uses SHA-256 and SHA-512 as hash algorithms by default in its maven-publish plugin. See
Note that Gradle 6.0.1 added a way to suppress the use of these newer algorithms because some artifact servers do not accept them: