Closed lauzadis closed 5 months ago
Root cause: The content of /aws/sdk/kotlin/iotanalytics-jvm/1.1.14/iotanalytics-jvm-1.1.14.pom.md5
began with 07 07 02
, which is the magic number for cpio crc archives, causing Sonatype Nexus to treat it like an archive when it wasn't. Fixed by bumping our SDK version to 1.1.15 (skipping 1.1.14) which results in a different MD5 checksum.
This should probably be fixed in Sonatype. This has happened to our teams 3 times in the past 2 years, so it's not uncommon as it seems.
Hi @lauzadis thanks for opening an issue. The staging capability of Nexus Repository 2 is a Pro only feature, which suggests you have a paid license and can contact Sonatype Support for support on this topic.
What problem are you trying to solve?
We've recently started seeing a rules validation error
no-traversal-paths-in-archive-file: Archives must not contain insecure paths
when closing our staging repository (in preparation for release).The artifact that fails this rule has not been changed since our last successful release. Has something changed in Nexus to cause this new validation failure?
The file that fails this rule is named
iotanalytics-jvm-1.1.14.pom.md5
, it contains the MD5 checksum foriotanalytics-jvm-1.1.14.pom
. It is not an archive and definitely doesn't contain any paths.The full error message is:
Unable to process file /aws/sdk/kotlin/iotanalytics-jvm/1.1.14/iotanalytics-jvm-1.1.14.pom.md5: null
. Thenull
message makes me thing there is some issue with Sonatype Nexus, but I'm not sure what.Do you have a workaround you are using at present?
There's no workaround for us. We are fully blocked on publishing our artifacts.
What feature or behavior is this required for?
This is required for successfully closing and releasing our staging repositories.
How could we solve this issue? (Not knowing is okay!)
Help us by providing some more information about this validation rule, why it's failing, and how we can prevent it from failing. Is it possible to disable the MD5 checksum? There are also SHA1, SHA256, SHA512, etc. checksum files but MD5 is the only one which seems to be failing.
Tell us about your Nexus Repository deployment: what version, operating system, and database are you using?
We are using v2.15.1. I'm not sure about the OS / database.