Disable md5 publishing

Currently all registered checksums are computed and published, but in
some cases it might be usefully to be able to verify a checksum but we
don't want to publish it.

This also includes disabling the md5 checksum, we publish sha-256 > 4
years and warn about md5 > 1 year now so it seems valid to stop
publishing it now at all.

bundles/org.eclipse.equinox.p2.artifact.repository/plugin.xml

@@ -44,6 +44,7 @@
         algorithm="MD5"
         id="md5"
         priority="-2000"
+        publish="false"
         warnInsecure="true">
 		</artifactChecksum>
 	</extension>

bundles/org.eclipse.equinox.p2.artifact.repository/schema/artifactChecksums.exsd

@@ -91,6 +91,13 @@ Set to true if this algorithm is now considered as insecure. A warning will be l
                </documentation>
             </annotation>
          </attribute>
+         <attribute name="publish" type="boolean" use="default" value="true">
+            <annotation>
+               <documentation>
+                  Controls if this checksum should be published when assembling a repository.
+               </documentation>
+            </annotation>
+         </attribute>
       </complexType>
    </element>
 

bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java

@@ -115,7 +115,7 @@ public static IStatus calculateChecksums(File pathOnDisk, Map<String, String> ch
 		for (IConfigurationElement checksumVerifierConfiguration : ChecksumUtilities
 				.getChecksumComparatorConfigurations()) {
 			String id = checksumVerifierConfiguration.getAttribute("id"); //$NON-NLS-1$
-			if (checksumsToSkip.contains(id))
+			if (checksumsToSkip.contains(id) || !shouldPublish(checksumVerifierConfiguration))
 				// don't calculate checksum if algo is disabled
 				continue;
 			String algorithm = checksumVerifierConfiguration.getAttribute("algorithm"); //$NON-NLS-1$
@@ -161,6 +161,14 @@ public static IStatus calculateChecksums(File pathOnDisk, Map<String, String> ch
 		return status;
 	}
 
+	private static boolean shouldPublish(IConfigurationElement checksumVerifierConfiguration) {
+		String attribute = checksumVerifierConfiguration.getAttribute("publish"); //$NON-NLS-1$
+		if (attribute == null || attribute.isBlank()) {
+			return true;
+		}
+		return Boolean.parseBoolean(attribute);
+	}
+
 	/**
 	 * @param property either {@link IArtifactDescriptor#ARTIFACT_CHECKSUM} or {@link IArtifactDescriptor#DOWNLOAD_CHECKSUM}
 	 * @param checksums

bundles/org.eclipse.equinox.p2.repository.tools/META-INF/MANIFEST.MF

@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: %bundleName
 Bundle-SymbolicName: org.eclipse.equinox.p2.repository.tools;singleton:=true
-Bundle-Version: 2.3.100.qualifier
+Bundle-Version: 2.4.0.qualifier
 Bundle-Activator: org.eclipse.equinox.p2.internal.repository.tools.Activator
 Bundle-Vendor: %providerName
 Bundle-Localization: plugin

bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/p2/repository/artifact/IArtifactDescriptor.java

@@ -81,6 +81,17 @@ public interface IArtifactDescriptor {
 	 */
 	@Deprecated String ARTIFACT_MD5 = "artifact.md5"; //$NON-NLS-1$
 
+	/**
+	 * An artifact descriptor property (value "aartifact.sha-256") indicating the
+	 * SHA256 checksum of the artifact bytes in its native format (after processing
+	 * steps have been applied).
+	 *
+	 * @since 2.4
+	 * @see #ARTIFACT_CHECKSUM
+	 */
+
+	String ARTIFACT_SHA256 = "artifact.sha-256"; //$NON-NLS-1$
+
 	/**
 	 * An artifact descriptor property (value "format") indicating the storage format
 	 * of the artifact in the repository.
@@ -93,7 +104,7 @@ public interface IArtifactDescriptor {
 	 * indicating the storage format is using pack200 compression.
 	 * @see #FORMAT
 	 * @noreference This field is not intended to be referenced by clients.
-	 * 
+	 *
 	 * @deprecated See <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=572043">bug</a> for details.
 	 */
 	@Deprecated(forRemoval = true, since = "2.5.0") String FORMAT_PACKED = "packed"; //$NON-NLS-1$

bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/processors/ProduceChecksumTest.java

@@ -12,6 +12,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import java.io.File;
@@ -39,8 +40,7 @@ public void testChecksums() throws IOException {
 				Collections.emptyList());
 		assertTrue(status.toString(), status.isOK());
 		String md5sum = hashMap.get("md5");
-		assertNotNull("MD5 was not computed!", md5sum);
-		assertEquals("MD5 mismatch", "25b68bb92a7a77238bd60ad5e21bb91f", md5sum);
+		assertNull("MD5 was computed but should be disabled!", md5sum);
 		String sha256sum = hashMap.get("sha-256");
 		assertNotNull("SHA256 was not computed!", sha256sum);
 		assertEquals("SHA256 mismatch", "39d083c8c75eac51b2c4566cca299b41cc93d5b0313906f5979fbebf1104ff49", sha256sum);

bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/repository/CompositeArtifactRepositoryTest.java

@@ -72,6 +72,7 @@
 
 public class CompositeArtifactRepositoryTest extends AbstractProvisioningTest {
 	private static final String COMPARATOR_ID = ArtifactChecksumComparator.COMPARATOR_ID + ".md5";
+	private static final String COMPARATOR_SHA_ID = ArtifactChecksumComparator.COMPARATOR_ID + ".sha-256";
 	private static final String TEST_KEY = "TestKey";
 	private static final String TEST_VALUE = "TestValue";
 	//artifact repository to remove on tear down
@@ -731,7 +732,9 @@ public void testValidate() throws Exception {
 		IArtifactDescriptor descriptor2 = PublisherHelper.createArtifactDescriptor(dupKey, artifact2);
 
 		assertEquals("Ensuring Descriptors are the same", descriptor1, descriptor2);
-		assertNotEquals("Ensuring MD5 values are different", descriptor1.getProperty(IArtifactDescriptor.DOWNLOAD_MD5), descriptor2.getProperty(IArtifactDescriptor.DOWNLOAD_MD5));
+		assertNotEquals("Ensuring SHA256 values are different",
+				descriptor1.getProperty(IArtifactDescriptor.ARTIFACT_SHA256),
+				descriptor2.getProperty(IArtifactDescriptor.ARTIFACT_SHA256));
 
 		//Setup make repositories
 		File repo1Location = getTestFolder(getUniqueString());
@@ -758,7 +761,7 @@ public void testValidate() throws Exception {
 
 		//validate using the MD5 Comparator
 		ArtifactRepositoryValidator validator = new ArtifactRepositoryValidator(
-				COMPARATOR_ID);
+				COMPARATOR_SHA_ID);
 		assertFalse("Running verify on invalid repository", validator.validateComposite(compRepo).isOK());
 	}
 

bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/publisher/ChecksumGenerationTest.java

@@ -38,8 +38,8 @@ public class ChecksumGenerationTest extends AbstractProvisioningTest {
 
 	@Parameters
 	public static Collection<Object[]> generateChecksums() {
-		return Arrays.asList(new Object[][] {{IArtifactDescriptor.DOWNLOAD_MD5, "50d4ea58b02706ab373a908338877e02"},
-			{IArtifactDescriptor.DOWNLOAD_CHECKSUM.concat(".md5"), "50d4ea58b02706ab373a908338877e02"},
+		return Arrays.asList(new Object[][] { { IArtifactDescriptor.DOWNLOAD_MD5, null },
+				{ IArtifactDescriptor.DOWNLOAD_CHECKSUM.concat(".md5"), null },
 			{IArtifactDescriptor.DOWNLOAD_CHECKSUM.concat(".sha-256"), "11da2dd636ab76f460513cbcbfe8c56a6e5ad47aa9b38b36c6d04f8ee7722252"},
 		});
 	}

bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/publisher/actions/MD5GenerationTest.java

@@ -7,7 +7,7 @@
  *  https://www.eclipse.org/legal/epl-2.0/
  *
  *  SPDX-License-Identifier: EPL-2.0
- * 
+ *
  *  Contributors:
  *      IBM Corporation - initial API and implementation
  *******************************************************************************/
@@ -24,14 +24,14 @@
 public class MD5GenerationTest extends AbstractProvisioningTest {
 	public void testGenerationFile() {
 		IArtifactDescriptor ad = PublisherHelper.createArtifactDescriptor(new ArtifactKey("classifierTest", "idTest", Version.createOSGi(1, 0, 0)), getTestData("Artifact to generate from", "testData/artifactRepo/simpleWithMD5/plugins/aaPlugin_1.0.0.jar"));
-		assertEquals("50d4ea58b02706ab373a908338877e02", ad.getProperty(IArtifactDescriptor.DOWNLOAD_MD5));
+		assertNull(ad.getProperty(IArtifactDescriptor.DOWNLOAD_MD5));
 	}
 
 	public void testGenerationFile_emptyPublisherInfo() {
 		ArtifactKey key = new ArtifactKey("classifierTest", "idTest", Version.createOSGi(1, 0, 0));
 		IPublisherInfo publisherInfo = new PublisherInfo();
 		IArtifactDescriptor ad = PublisherHelper.createArtifactDescriptor(publisherInfo, key, getTestData("Artifact to generate from", "testData/artifactRepo/simpleWithMD5/plugins/aaPlugin_1.0.0.jar"));
-		assertEquals("50d4ea58b02706ab373a908338877e02", ad.getProperty(IArtifactDescriptor.DOWNLOAD_MD5));
+		assertNull(ad.getProperty(IArtifactDescriptor.DOWNLOAD_MD5));
 	}
 
 	public void testGenerationFile_noMd5() {