Generate SHA512 Checksum File using maven-publish Plugin in gradle

Question

The maven-publish plugin generates MD5 und SHA1 checksum files for all artifacts by default. But is there any way to make the plugin generate secure checksum files (SHA512 would be preferred)?

This is pretty easy to reproduce. I just initialized a new java-library project and added the maven-publish plugin and it's configuration

build.gradle:

apply plugin: 'java'
apply plugin: 'maven-publish'

repositories {
  jcenter()
}

dependencies {
}

publishing {
  repositories {
    maven {
      url rootProject.buildDir.path + '/repo'
    }
  }
  publications {
    mavenJava(MavenPublication) {
      groupId = 'org.gradle.sample'
      artifactId = 'project1-sample'
      version = '1.1'

      from components.java
    }
  }
}

I already consulted the gradle documentation and javadoc, but was not able to find any hints on the checksum files at all. I know I can generate checksums for the artifacts pretty easily using the ANT checksum task like this

doLast {
  ant.checksum(file: archivePath, algorithm: "SHA-512")
}

But I would somehow need to place them in the correct folder aside the actual artifacts "manually", which is something I'd like to avoid.

---

EDIT:
If it's not possible to specify the checksum algorithm, is it somehow possible to hook into the publish task and add a custom checksum file to the artifact destination folders? I don't want add the checksum files themselves as artifacts as there would be MD5 and SHA1 checksums for the checksums, which makes no sense.

Answer 1

Gradle 6.0 released in November 2019 uses SHA-256 and SHA-512 as hash algorithms by default in its maven-publish plugin. See

• https://docs.gradle.org/6.0/release-notes.html ("Publication of SHA256 and SHA512 checksums")
• https://github.com/gradle/gradle/security/advisories/GHSA-mrm8-42q4-6rm7

Note that Gradle 6.0.1 added a way to suppress the use of these newer algorithms because some artifact servers do not accept them:

• https://docs.gradle.org/6.0.1/release-notes.html ("Publication of SHA256 and SHA512 checksums")
• add -Dorg.gradle.internal.publish.checksums.insecure=true to the CLI or add systemProp.org.gradle.internal.publish.checksums.insecure=true to your gradle.properties file

Answer 2

In short

You probably can’t configure the checksum algorithms used by maven-publish as they seem to be hard-coded.

In more detail

Gradle uses Sonatype Aether from org.gradle.api.publication.maven.internal.action.MavenDeployAction to publish to Maven repositories. You can find a reference to this class in the debug log for your build:

23:23:23.232 [INFO] [org.gradle.api.publication.maven.internal.action.MavenDeployAction] Deploying to file:/tmp/foobar/build/repo/

No checksum algorithms seem to be passed there in the DeployRequest to Aether. In other words, Aether seems to choose the algorithms itself somehow.

Looking at this from the Aether side, the only references to sha1 in non-test files that I can find in the Aether repository are these three: 1, 2, 3. These three classes also seem to be the only (non-test) users of the calc method of org.sonatype.aether.util.ChecksumUtils for calculating checksums. In other words: no matter which of these classes are transitively used by Gradle (unless it should weirdly get the checksums from somewhere else), in each case both the SHA-1 and the MD5 checksum algorithms are hardcoded and you can’t change them.