Skip to content

Add checksum report as option during build phase #1465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gregturn opened this issue Aug 28, 2014 · 6 comments
Closed

Add checksum report as option during build phase #1465

gregturn opened this issue Aug 28, 2014 · 6 comments
Labels
status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement

Comments

@gregturn
Copy link
Contributor

Generating a report showing the checksums of everything package into either a JAR or WAR would be useful for many end users.

Here are some brainstormed ideas I would want in this report if I was at my old job where we had such process standards in place:

  • checksum value or SHA hash of each file bundled (like JARs, support files, etc.)
  • at a minimum the report should be generated adjacent to the JAR, so people can pick up the report and hand it to QA, auditors, etc. Such teams can probably easily incorporate into their processes as desired
  • embedding the report inside a JAR might be convenient as well (if possible). This way, any given JAR file can be interrogated to see if it matches an independently registered file
  • optionally adding things like git hash values to the report if git is being used would enhance traceability to the source
  • optionally embed a free form text value in the report. This would probably allow end users to customize the report in ways we can't predict. People might embed their own control codes, labels, etc.
@philwebb
Copy link
Member

@gregturn Have you seen any plugins/tools for this? It seems like it could be a generally useful plugin even if you aren't using Boot.

@kennyk65
Copy link

Original requirement from the customer was to see the 'version of the app', which of course is a little ambiguous. I think they'd like to see the war/jar name, plus the classpath. Their use case is just for auditing purposes

@gregturn
Copy link
Contributor Author

@philwebb For the record, I have done zero research in plugins.

@frankr12
Copy link

We are using maven-jarsigner-plugin for signing the final artifact. It will give a listing of all files, libraries and their SHA hashes in META-INF/MANIFEST.MF. Not a nice report but I guess it can easily be turned into one.

@philwebb philwebb removed the backlog label Jan 7, 2016
@wilkinsona
Copy link
Member

Looks like this came up in the AliExpress talk at Spring IO: https://twitter.com/TubbyNL/status/865156761464057856

@philwebb
Copy link
Member

We're cleaning out the issue tracker and closing issues that we've not seen much demand to fix. Feel free to comment with additional justifications if you feel that this one should not have been closed.

@philwebb philwebb added the status: declined A suggestion or change that we don't feel we should currently apply label Mar 22, 2018
@wilkinsona wilkinsona mentioned this issue Jul 12, 2019
Closed
@wilkinsona wilkinsona mentioned this issue Aug 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gregturn @philwebb @wilkinsona @kennyk65 @frankr12