luke
/
sbt
mirror of https://github.com/sbt/sbt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[2.x] fix: Skip checksums for PGP signature files (.asc) (#8535) 

## Problem
When using `publishSigned` (via sbt-pgp), sbt creates checksum files (e.g., `.pom.asc.sha1`) for PGP signature files (`.asc`). This violates Maven norms, where checksums should only be generated for raw artifacts like JARs and POMs, not for signatures.

## Solution
Modified the checksum generation logic in `ChecksumFriendlyURLResolver.put` (in `lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala`) to skip generating checksums for artifacts whose names end with `.asc`.
This commit is contained in:
Dairus 2026-01-15 07:04:33 +01:00 committed by GitHub
parent b2db55768c
commit 7368252678
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala
View File

@ -119,11 +119,13 @@ private[sbt] object ConvertResolver {
repository.put(artifact, src, dest, overwrite);
// Fix for sbt#1156 - Artifactory will auto-generate MD5/sha1 files, so
// we need to overwrite what it has.
for (checksum <- checksums) {
putChecksumMethod match {
case Some(method) =>
method.invoke(this, artifact, src, dest, true: java.lang.Boolean, checksum)
case None => // TODO - issue warning?
if (!artifact.getName.endsWith(".asc")) {
for (checksum <- checksums) {
putChecksumMethod match {
case Some(method) =>
method.invoke(this, artifact, src, dest, true: java.lang.Boolean, checksum)
case None => // TODO - issue warning?
}
}
}
if (signerName != null) {