search

eclipse-tycho / tycho

Tycho project repository (tycho)
https://tycho.eclipseprojects.io
Eclipse Public License 2.0
168 stars 189 forks source link

MD5 checksums are not removed or overwritten by tycho-p2-repository-plugin:fix-artifacts-metadata #4159

Open tivervac opened 1 month ago

tivervac commented 1 month ago

In our build we run jarsigning with our own key on everything we ship. However, running mvn install on the following project will run tycho-p2-repository-plugin:fix-artifacts-metadata, but the download.md5 and download.checksum.md5 in the artifacts.xml won't be overwritten. This will fail install of our plugin in older Eclipses.

I found that the MD5 checksum is not overwritten because shouldPublish is false here. Coming from here in Tycho. The tycho-p2-repository-plugin documentation doesn't mention how to enable it.

noMD5Overwrite.zip

Note the difference in MD5 sums. The one in the artifacts.xml is incorrect.

$ md5sum plugins/com.fasterxml.jackson.core.jackson-annotations_2.13.2.v20220426-1653.jar 
dcdaa7ee2f0fc1ea5452d4254bbf7105  plugins/com.fasterxml.jackson.core.jackson-annotations_2.13.2.v20220426-1653.jar
$ cat artifacts.xml | grep 'md5'   
        <property name='download.md5' value='d64cf96519be354aaf64c42c4ef878fb'/>
        <property name='download.checksum.md5' value='d64cf96519be354aaf64c42c4ef878fb'/>
tivervac commented 1 month ago

Note that running mvn install will cause a failure in the verify-repository goal. This is unrelated and reported here