From 7368252678162aafcd70869e793a94cd7894671b Mon Sep 17 00:00:00 2001 From: Dairus Date: Thu, 15 Jan 2026 07:04:33 +0100 Subject: [PATCH] [2.x] fix: Skip checksums for PGP signature files (.asc) (#8535) ## Problem When using `publishSigned` (via sbt-pgp), sbt creates checksum files (e.g., `.pom.asc.sha1`) for PGP signature files (`.asc`). This violates Maven norms, where checksums should only be generated for raw artifacts like JARs and POMs, not for signatures. ## Solution Modified the checksum generation logic in `ChecksumFriendlyURLResolver.put` (in `lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala`) to skip generating checksums for artifacts whose names end with `.asc`. --- .../internal/librarymanagement/ConvertResolver.scala | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala b/lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala index 56eb6b786..81cb1c435 100644 --- a/lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala +++ b/lm-ivy/src/main/scala/sbt/internal/librarymanagement/ConvertResolver.scala @@ -119,11 +119,13 @@ private[sbt] object ConvertResolver { repository.put(artifact, src, dest, overwrite); // Fix for sbt#1156 - Artifactory will auto-generate MD5/sha1 files, so // we need to overwrite what it has. - for (checksum <- checksums) { - putChecksumMethod match { - case Some(method) => - method.invoke(this, artifact, src, dest, true: java.lang.Boolean, checksum) - case None => // TODO - issue warning? + if (!artifact.getName.endsWith(".asc")) { + for (checksum <- checksums) { + putChecksumMethod match { + case Some(method) => + method.invoke(this, artifact, src, dest, true: java.lang.Boolean, checksum) + case None => // TODO - issue warning? + } } } if (signerName != null) {