[#225] add SHA-512 hashes

[bmarwell]

fixes #225

[olamy]

as long as it doesn't hurt central it's fine

[bmarwell]

as long as it doesn't hurt central it's fine

On the contrary. Looking over at ASF, they require those.

• https://infra.apache.org/release-distribution.html#sigs-and-sums
  • must supply a valid OpenPGP-compatible ASCII-armored detached signature file.
  • must supply at least one checksum file.
  • should supply a SHA-256 and/or SHA-512 checksum file.
  • SHOULD NOT supply a MD5 or SHA-1 checksum file because these are deprecated.
• https://www.apache.org/info/verification.html

Reading this, we even might want to add SHA-256.

[olamy]

as long as it doesn't hurt central it's fine

On the contrary. Looking over at ASF, they require those.

well it's a bit different. Maven Central and Apache have different expectations.
do not confuse maven central and Apache distribution :)
this PR just change what will be uploaded to Maven Central (i.e https://repo1.maven.org/maven2/) this is not an official Apache distribution place.
What is related to https://infra.apache.org/release-distribution.html#sigs-and-sums is the official Apache distribution area which have a mirroring system all over the world and some archive here https://archive.apache.org/.
mojohaus is not part of Apache and do not have to follow the same rules.
what we define here is the publication to Maven central (https://central.sonatype.org/publish/#individual-projects-open-source-software-repository-hosting-ossrh)

• https://infra.apache.org/release-distribution.html#sigs-and-sums

  • must supply a valid OpenPGP-compatible ASCII-armored detached signature file.
  • must supply at least one checksum file.
  • should supply a SHA-256 and/or SHA-512 checksum file.
  • SHOULD NOT supply a MD5 or SHA-1 checksum file because these are deprecated.

• https://www.apache.org/info/verification.html

Reading this, we even might want to add SHA-256.

[bmarwell]

Yes I know. I still think it's a good rule to follow. That's all.