Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use sha256 checksums to verify maven dependencies #2998

Merged
merged 3 commits into from
Feb 5, 2025
Merged

Use sha256 checksums to verify maven dependencies #2998

merged 3 commits into from
Feb 5, 2025
+1,090 −1,087

Conversation

sstone
Copy link
Member

@sstone sstone commented Feb 5, 2025

Using sha256 is as secure, diffs will be easier, sha256 checksums are more commonly used and it makes more sense for a bitcoin project.

@codecov-commenter
Copy link

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.07%. Comparing base (12df4ce) to head (ddb1bb7).
Report is 8 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2998      +/-   ##
==========================================
+ Coverage   86.02%   86.07%   +0.05%     
==========================================
  Files         227      228       +1     
  Lines       20371    20452      +81     
  Branches      815      846      +31     
==========================================
+ Hits        17524    17605      +81     
  Misses       2847     2847

see 11 files with indirect coverage changes

@sstone sstone requested review from pm47 and t-bast February 5, 2025 17:22
@sstone sstone mentioned this pull request Feb 5, 2025
Merged
pm47
pm47 reviewed Feb 5, 2025
View reviewed changes
Copy link
Member

@pm47 pm47 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was able to reproduce an identical checksum file by following this procedure:

  1. delete ~/.m2/wrapper
  2. delete ~/.sbt
  3. delete .mvn/checksums/checksums-central.sha256
  4. run ./mvnw clean install scoverage:report -DskipTests -Daether.artifactResolver.postProcessor.trustedChecksums.record

I think this should be documented in BUILD.md

@sstone
Copy link
Member Author

sstone commented Feb 5, 2025

I was able to reproduce an identical checksum file by following this procedure:

1. delete `~/.m2/wrapper`

2. delete `~/.sbt`

3. delete `.mvn/checksums/checksums-central.sha256`

4. run `./mvnw clean install scoverage:report -DskipTests -Daether.artifactResolver.postProcessor.trustedChecksums.record`

I think this should be documented in BUILD.md

Done in 83c5280

@sstone sstone merged commit 8e46889 into master Feb 5, 2025
1 check passed
@sstone sstone deleted the sha256-checksums branch February 5, 2025 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pm47 pm47 pm47 approved these changes

@t-bast t-bast Awaiting requested review from t-bast

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sstone @codecov-commenter @pm47