From aca6f29af869af554938cb08c64db4b75241e9af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20L=C3=A4ubrich?= <laeubi@laeubi-soft.de>
Date: Wed, 2 Nov 2022 09:15:08 +0100
Subject: [PATCH] Disable md5 publishing

Currently all registered checksums are computed and published, but in
some cases it might be usefully to be able to verify a checksum but we
don't want to publish it.

This also includes disabling the md5 checksum, we publish sha-256 > 4
years and warn about md5 > 1 year now so it seems valid to stop
publishing it now at all.
---
 .../plugin.xml                                         |  1 +
 .../schema/artifactChecksums.exsd                      |  7 +++++++
 .../processors/checksum/ChecksumUtilities.java         | 10 +++++++++-
 .../tests/artifact/processors/ProduceChecksumTest.java |  4 ++--
 4 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/plugin.xml b/bundles/org.eclipse.equinox.p2.artifact.repository/plugin.xml
index d1f69692d3..5ec653b41c 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/plugin.xml
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/plugin.xml
@@ -44,6 +44,7 @@
         algorithm="MD5"
         id="md5"
         priority="-2000"
+        publish="false"
         warnInsecure="true">
 		</artifactChecksum>
 	</extension>
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/schema/artifactChecksums.exsd b/bundles/org.eclipse.equinox.p2.artifact.repository/schema/artifactChecksums.exsd
index 33eadf9813..b0c5b67b85 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/schema/artifactChecksums.exsd
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/schema/artifactChecksums.exsd
@@ -91,6 +91,13 @@ Set to true if this algorithm is now considered as insecure. A warning will be l
                </documentation>
             </annotation>
          </attribute>
+         <attribute name="publish" type="boolean" use="default" value="true">
+            <annotation>
+               <documentation>
+                  Controls if this checksum should be published when assembling a repository.
+               </documentation>
+            </annotation>
+         </attribute>
       </complexType>
    </element>
 
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java
index 28a37f6179..7c7f85dfd4 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java
@@ -115,7 +115,7 @@ public static IStatus calculateChecksums(File pathOnDisk, Map<String, String> ch
 		for (IConfigurationElement checksumVerifierConfiguration : ChecksumUtilities
 				.getChecksumComparatorConfigurations()) {
 			String id = checksumVerifierConfiguration.getAttribute("id"); //$NON-NLS-1$
-			if (checksumsToSkip.contains(id))
+			if (checksumsToSkip.contains(id) || !shouldPublish(checksumVerifierConfiguration))
 				// don't calculate checksum if algo is disabled
 				continue;
 			String algorithm = checksumVerifierConfiguration.getAttribute("algorithm"); //$NON-NLS-1$
@@ -161,6 +161,14 @@ public static IStatus calculateChecksums(File pathOnDisk, Map<String, String> ch
 		return status;
 	}
 
+	private static boolean shouldPublish(IConfigurationElement checksumVerifierConfiguration) {
+		String attribute = checksumVerifierConfiguration.getAttribute("publish"); //$NON-NLS-1$
+		if (attribute == null || attribute.isBlank()) {
+			return true;
+		}
+		return Boolean.parseBoolean(attribute);
+	}
+
 	/**
 	 * @param property either {@link IArtifactDescriptor#ARTIFACT_CHECKSUM} or {@link IArtifactDescriptor#DOWNLOAD_CHECKSUM}
 	 * @param checksums
diff --git a/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/processors/ProduceChecksumTest.java b/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/processors/ProduceChecksumTest.java
index fdb7d42d70..fd996ea76c 100644
--- a/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/processors/ProduceChecksumTest.java
+++ b/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/processors/ProduceChecksumTest.java
@@ -12,6 +12,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import java.io.File;
@@ -39,8 +40,7 @@ public void testChecksums() throws IOException {
 				Collections.emptyList());
 		assertTrue(status.toString(), status.isOK());
 		String md5sum = hashMap.get("md5");
-		assertNotNull("MD5 was not computed!", md5sum);
-		assertEquals("MD5 mismatch", "25b68bb92a7a77238bd60ad5e21bb91f", md5sum);
+		assertNull("MD5 was computed but should be disabled!", md5sum);
 		String sha256sum = hashMap.get("sha-256");
 		assertNotNull("SHA256 was not computed!", sha256sum);
 		assertEquals("SHA256 mismatch", "39d083c8c75eac51b2c4566cca299b41cc93d5b0313906f5979fbebf1104ff49", sha256sum);