Generate SHA512 Checksum File using maven-publish Plugin in gradle

Gradle 6.0 released in November 2019 uses SHA-256 and SHA-512 as hash algorithms by default in its maven-publish plugin. See

  • https://docs.gradle.org/6.0/release-notes.html ("Publication of SHA256 and SHA512 checksums")
  • https://github.com/gradle/gradle/security/advisories/GHSA-mrm8-42q4-6rm7

Note that Gradle 6.0.1 added a way to suppress the use of these newer algorithms because some artifact servers do not accept them:

  • https://docs.gradle.org/6.0.1/release-notes.html ("Publication of SHA256 and SHA512 checksums")
  • add -Dorg.gradle.internal.publish.checksums.insecure=true to the CLI or add systemProp.org.gradle.internal.publish.checksums.insecure=true to your gradle.properties file

In short

You probably can’t configure the checksum algorithms used by maven-publish as they seem to be hard-coded.

In more detail

Gradle uses Sonatype Aether from org.gradle.api.publication.maven.internal.action.MavenDeployAction to publish to Maven repositories. You can find a reference to this class in the debug log for your build:

23:23:23.232 [INFO] [org.gradle.api.publication.maven.internal.action.MavenDeployAction] Deploying to file:/tmp/foobar/build/repo/

No checksum algorithms seem to be passed there in the DeployRequest to Aether. In other words, Aether seems to choose the algorithms itself somehow.

Looking at this from the Aether side, the only references to sha1 in non-test files that I can find in the Aether repository are these three: 1, 2, 3. These three classes also seem to be the only (non-test) users of the calc method of org.sonatype.aether.util.ChecksumUtils for calculating checksums. In other words: no matter which of these classes are transitively used by Gradle (unless it should weirdly get the checksums from somewhere else), in each case both the SHA-1 and the MD5 checksum algorithms are hardcoded and you can’t change them.