Rebuild Trino from source (#687)

* Build Trino from source

* Build JMX exporter and trino-storage from source

* Build Trino 428 and OPA authorizer from source

* Build Trino 414 from source

* Fix Trino 442 build

* Drop deprecated Trino 428 support

* Drop trino-storage git repo override

It was only used by Trino 428

* Clean up unused dockerfile args

* Update trino/Dockerfile

Co-authored-by: Malte Sander <[email protected]>

* Update trino/Dockerfile

Co-authored-by: Malte Sander <[email protected]>

* Update trino/Dockerfile

Co-authored-by: Malte Sander <[email protected]>

* Update trino/Dockerfile

Co-authored-by: Malte Sander <[email protected]>

* Update trino/Dockerfile

Co-authored-by: Malte Sander <[email protected]>

* Change Trino download script to download sources instead

* Add folder prefix to all source archive files

* Mirror Trino on Nexus

* Merge symlink layers

* POSIX compliance

* Changelog

* Note that Trino 428 is dropped

* Move log4shell env variable back into main Trino image

* Fix bundled plugins not loading correctly

---------

Co-authored-by: Malte Sander <[email protected]>

Author: nightkr

CHANGELOG.md

@@ -43,6 +43,7 @@ All notable changes to this project will be documented in this file.
 - kafka: use java-devel as base layer for the builder stage ([#665])
 - opa-bundle-builder: Bump image to 1.1.2 ([#666])
 - opa: Build from source ([#676])
+- trino: Build from source ([#687]).
 - spark: Build from source ([#679])
 
 ### Fixed
@@ -60,6 +61,7 @@ All notable changes to this project will be documented in this file.
 
 - zookeeper: Remove unsupported version 3.9.1 ([#628]).
 - java-base: Remove openjdk-devel rpm package again to reduce the vulnerability surface ([#665])
+- trino: Remove unsupported version 428 ([#687]).
 
 [#583]: https://github.com/stackabletech/docker-images/pull/583
 [#611]: https://github.com/stackabletech/docker-images/pull/611
@@ -88,6 +90,7 @@ All notable changes to this project will be documented in this file.
 [#682]: https://github.com/stackabletech/docker-images/pull/682
 [#684]: https://github.com/stackabletech/docker-images/pull/684
 [#685]: https://github.com/stackabletech/docker-images/pull/685
+[#687]: https://github.com/stackabletech/docker-images/pull/687
 [#688]: https://github.com/stackabletech/docker-images/pull/688
 [#696]: https://github.com/stackabletech/docker-images/pull/696
 [#695]: https://github.com/stackabletech/docker-images/pull/695

conf.py

@@ -194,6 +194,14 @@
                 "product": "11",
                 "stackable-base": "1.0.0",
             },
+            {
+                "product": "17",
+                "stackable-base": "1.0.0",
+            },
+            {
+                "product": "21",
+                "stackable-base": "1.0.0",
+            },
         ],
     },
     {
@@ -420,20 +428,15 @@
             {
                 "product": "414",
                 "java-base": "17",
+                "java-devel": "17",
                 "opa_authorizer": "stackable0.2.0",
                 "jmx_exporter": "0.20.0",
-                "storage_connector": "414",
-            },
-            {
-                "product": "428",
-                "java-base": "17",
-                "opa_authorizer": "stackable0.3.0",
-                "jmx_exporter": "0.20.0",
-                "storage_connector": "428-jackson",
+                "storage_connector": "413",
             },
             {
                 "product": "442",
                 "java-base": "21",
+                "java-devel": "21",
                 "jmx_exporter": "0.20.0",
                 "storage_connector": "442",
                 "opa_authorizer": "",

trino/Dockerfile

@@ -4,15 +4,102 @@
 # Ignoring DL4006 globally because we inherit the SHELL from our base image
 # hadolint global ignore=DL3038,DL4006
 
-FROM stackable/image/java-base
+# Not tagging base image because it is built as part of the same process
+# hadolint ignore=DL3006
+FROM stackable/image/java-devel AS storage-connector-builder
+
+ARG STORAGE_CONNECTOR
+
+WORKDIR /stackable
+
+RUN curl --fail -L "https://repo.stackable.tech/repository/packages/trino-storage/trino-storage-${STORAGE_CONNECTOR}-src.tar.gz" | tar -xzC .
+RUN --mount=type=cache,target=/root/.m2/repository cd trino-storage-${STORAGE_CONNECTOR}-src && \
+    # Upstream builds are marked as -SNAPSHOT, even for release builds
+    mvn versions:set -DnewVersion=${STORAGE_CONNECTOR} && \
+    mvn package -DskipTests -Dmaven.gitcommitid.skip=true
+
+# # TODO: remove the OPA authorizer builder once Trino versions 414 and 428 are removed
+# Not tagging base image because it is built as part of the same process
+# hadolint ignore=DL3006
+FROM stackable/image/java-devel AS opa-authorizer-builder
+
+ARG PRODUCT
+ARG OPA_AUTHORIZER
+
+WORKDIR /stackable
+
+RUN if [ -n "${OPA_AUTHORIZER}" ]; then \
+        curl --fail -L "https://repo.stackable.tech/repository/packages/trino-opa-authorizer/trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}-src.tar.gz" | tar -xzC .; \
+    fi
+RUN --mount=type=cache,target=/root/.m2/repository if [ -n "${OPA_AUTHORIZER}" ]; then \
+        cd trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}-src && \
+        mvn package -DskipTests; \
+    fi
+
+# Create an empty dummy plugin folder for newer versions that don't need the plugin anymore
+RUN mkdir -p trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}-src/target/out
+
+# Not tagging base image because it is built as part of the same process
+# hadolint ignore=DL3006
+FROM stackable/image/java-devel AS builder
 
 ARG PRODUCT
 # External OPA authorizer only required for 414 and 428, included in 438
 # The `OPA_AUTHORIZER` is not set in the conf.py for version 438 to remove the ARG as soon as 414 and 428 are removed
 ARG OPA_AUTHORIZER
+ARG STORAGE_CONNECTOR
+
+WORKDIR /stackable
+
+RUN curl --fail -L "https://repo.stackable.tech/repository/packages/trino-server/trino-server-${PRODUCT}-src.tar.gz" | tar -xzC .
+RUN --mount=type=cache,target=/root/.m2/repository cd "trino-server-${PRODUCT}-src" && \
+    mvn package -DskipTests -Dmaven.gitcommitid.skip=true --projects="!docs"
+RUN tar -xzf /stackable/trino-server-${PRODUCT}-src/core/trino-server/target/trino-server-${PRODUCT}.tar.gz -C /stackable && \
+    chown --recursive stackable /stackable/trino-server-${PRODUCT}
+
+COPY --from=storage-connector-builder /stackable/trino-storage-${STORAGE_CONNECTOR}-src/target/trino-storage-${STORAGE_CONNECTOR} /stackable/trino-server-${PRODUCT}/plugin/trino-storage-${STORAGE_CONNECTOR}
+# # TODO: remove the following COPY statement once Trino versions 414 and 428 are removed
+COPY --from=opa-authorizer-builder /stackable/trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}-src/target/out /stackable/trino-server-${PRODUCT}/plugin/trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}
+# We have no way to copy a folder conditionally, so delete the opa authorizer folder if no version is selected
+# Otherwise Trino will crash since empty plugin folders are not allowed
+RUN [ -n "${OPA_AUTHORIZER}" ] || rmdir /stackable/trino-server-${PRODUCT}/plugin/trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}
+
+# For earlier versions this script removes the .class file that contains the
+# vulnerable code.
+# TODO: This can be restricted to target only versions which do not honor the environment
+#   varible that has been set above but this has not currently been implemented
+COPY shared/log4shell.sh /bin
+RUN /bin/log4shell.sh /stackable/trino-server-${PRODUCT}
+
+# Ensure no vulnerable files are left over
+# This will currently report vulnerable files being present, as it also alerts on
+# SocketNode.class, which we do not remove with our scripts.
+# Further investigation will be needed whether this should also be removed.
+COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
+COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
+COPY shared/log4shell_scanner /bin/log4shell_scanner
+RUN /bin/log4shell_scanner s /stackable/trino-server-${PRODUCT}
+# ===
+
+# Not tagging base image because it is built as part of the same process
+# hadolint ignore=DL3006
+FROM stackable/image/java-devel AS jmx-exporter-builder
+
+ARG JMX_EXPORTER
+
+WORKDIR /stackable
+
+RUN curl --fail -L "https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus-${JMX_EXPORTER}-src.tar.gz" | tar -xzC .
+RUN --mount=type=cache,target=/root/.m2/repository cd jmx_prometheus-${JMX_EXPORTER}-src && \
+    mvn package
+
+# Not tagging base image because it is built as part of the same process
+# hadolint ignore=DL3006
+FROM stackable/image/java-base
+
+ARG PRODUCT
 ARG JMX_EXPORTER
 ARG RELEASE
-ARG STORAGE_CONNECTOR
 
 LABEL name="Trino" \
       maintainer="[email protected]" \
@@ -38,45 +125,16 @@ WORKDIR /stackable
 COPY --chown=stackable:stackable trino/stackable /stackable
 COPY --chown=stackable:stackable trino/licenses /licenses
 
-RUN curl --fail -L https://repo.stackable.tech/repository/packages/trino-server/trino-server-${PRODUCT}.tar.gz | tar -xzC . && \
-    ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server
-
-RUN curl --fail https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
-    -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \
-    chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \
+COPY --from=builder /stackable/trino-server-${PRODUCT} /stackable/trino-server-${PRODUCT}
+COPY --from=jmx-exporter-builder /stackable/jmx_prometheus-${JMX_EXPORTER}-src/jmx_prometheus_javaagent/target/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+RUN ln -s /stackable/trino-server-${PRODUCT} /stackable/trino-server && \
     ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
 
-# TODO: remove the following RUN statement once Trino versions 414 and 428 are removed
-RUN if [[ -n ${OPA_AUTHORIZER} ]] ; then \
-        curl --fail -L https://repo.stackable.tech/repository/packages/trino-opa-authorizer/trino-opa-authorizer-${PRODUCT}-${OPA_AUTHORIZER}.tar.gz | tar -xzC /stackable/trino-server/plugin ; \
-    fi
-
-RUN curl --fail https://repo.stackable.tech/repository/packages/trino-storage/trino-storage-${STORAGE_CONNECTOR}.zip -o /tmp/trino-storage-${STORAGE_CONNECTOR}.zip && \
-    unzip /tmp/trino-storage-${STORAGE_CONNECTOR}.zip -d /stackable/trino-server/plugin && \
-    rm -f /tmp/trino-storage-${STORAGE_CONNECTOR}.zip
-
 # ===
 # Mitigation for CVE-2021-44228 (Log4Shell)
 # This variable is supported as of Log4j version 2.10 and
 # disables the vulnerable feature
 ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
 
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/trino-server-${PRODUCT}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/trino-server-${PRODUCT}
-# ===
-
 WORKDIR /stackable/trino-server
 CMD ["bin/launcher", "run", "--etc-dir=/stackable/conf"]

trino/upload_new_trino_storage_version.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION=${1:?"Missing version number argument (arg 1)"}
+NEXUS_USER=${2:?"Missing Nexus username argument (arg 2)"}
+
+read -r -s -p "Nexus Password: " NEXUS_PASSWORD
+echo ""
+
+# https://stackoverflow.com/questions/4632028/how-to-create-a-temporary-directory
+# Find the directory name of the script
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# the temp directory used, within $DIR
+WORK_DIR=$(mktemp -d -p "$DIR")
+
+# check if tmp dir was created
+if [[ ! "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
+  echo "Could not create temp dir"
+  exit 1
+fi
+
+# deletes the temp directory
+function cleanup {
+  rm -rf "$WORK_DIR"
+}
+
+# register the cleanup function to be called on the EXIT signal
+trap cleanup EXIT
+
+cd "$WORK_DIR" || exit
+
+src_file=trino-storage-$VERSION-src.tar.gz
+
+echo "Downloading Trino Storage"
+# Trino Storage provides no offficial source tarballs, download from Git
+git clone https://github.com/snowlift/trino-storage "trino-storage-${VERSION}" "--branch=v${VERSION}" --depth=1
+
+echo "Archiving Trino Storage"
+git -C "trino-storage-${VERSION}" archive "v${VERSION}" --format=tar.gz --prefix="trino-storage-${VERSION}-src/" > "${src_file}"
+sha256sum "${src_file}" | cut --delimiter=' ' --field=1 > "${src_file}.sha256"
+
+echo "Uploading everything to Nexus"
+EXIT_STATUS=0
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}" 'https://repo.stackable.tech/repository/packages/trino-storage/' || EXIT_STATUS=$?
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}.sha256" 'https://repo.stackable.tech/repository/packages/trino-storage/' || EXIT_STATUS=$?
+
+if [ $EXIT_STATUS -ne 0 ]; then
+  echo "ERROR: Upload failed"
+  exit 1
+fi
+
+echo "Successfully uploaded version ${VERSION} of Trino Storage to Nexus"
+echo "https://repo.stackable.tech/service/rest/repository/browse/packages/trino-storage/"

trino/upload_new_trino_version.sh

@@ -30,67 +30,20 @@ trap cleanup EXIT
 
 cd "$WORK_DIR" || exit
 
-bin_file=trino-server-$VERSION.tar.gz
+src_file=trino-server-$VERSION-src.tar.gz
 
-echo "Downloading Trino (this can take a while, it is intentionally downloading from a slow mirror that contains all old versions)"
-curl --fail -LOs "https://repo1.maven.org/maven2/io/trino/trino-server/${VERSION}/${bin_file}"
-curl --fail -LOs "https://repo1.maven.org/maven2/io/trino/trino-server/${VERSION}/${bin_file}.asc"
-curl --fail -LOs "https://repo1.maven.org/maven2/io/trino/trino-server/${VERSION}/${bin_file}.sha1"
+echo "Downloading Trino"
+# Trino provides no offficial source tarballs, download from Git
+git clone https://github.com/trinodb/trino "trino-${VERSION}" "--branch=${VERSION}" --depth=1
 
-# It is probably redundant to check both the checksum and the signature but it's cheap and why not
-echo "Validating SHA1 Checksum"
-if ! (sha1sum "${bin_file}" | cut -d " " -f 1 | diff -Z - "${bin_file}.sha1"); then
-  echo "ERROR: The SHA1 sum does not match"
-  exit 1
-fi
-
-echo "Adding pinned public key for signature"
-# We lock the public key here until trino has a better workflow for signing
-gpg --no-default-keyring --keyring "${WORK_DIR}"/keyring --import <<-EOF
------BEGIN PGP PUBLIC KEY BLOCK-----
-Comment: Hostname:
-Version: Hockeypuck 2.1.0-223-gdc2762b
-
-xsBNBErpKk4BCADmT8y00Y1BcsB6KqEww68wyfH7129Izs2wHikHOEcPQWz2ROrb
-ug16Y+uvJkAzjD1EgJ9t/CSU4JbAT11I7u7oHMYlgtyEg06nAruQlwchs1vMrcPj
-mJ2aK3dOMHmYtiZ2Qq2ZUxnGvv1T+ywOsukV/4idZ1X9Z4qlQTg8jtp7gceRJ3Ct
-yiRoZ4lV+H+dV07dk9gEqiMJyCaf96IT+CIB5Xv6Z1jpKLxOAONzdENa5K9cfI+m
-HflrDmqg6apZ3obwzmEC+88K78A9w/+PK/VgK7OCaCkp816Vr2ej2e0qxpXz1xN4
-gyo/JUEqutf8gMKvmPuU2BnbdoNapf9f8LttABEBAAHNJU1hcnRpbiBUcmF2ZXJz
-byA8bXRyYXZlcnNvQGdtYWlsLmNvbT7CwHgEEwECACIFAkrpKk4CGwMGCwkIBwMC
-BhUIAgkKCwQWAgMBAh4BAheAAAoJEA62n3b9FxU4cVwH/jR9rwRB2uA7+bSuJBCM
-Ak2JWPwo2Ek8RjHb4VMlbKsPDW15nX8JriINesQ5ELecOMVgHKV24Mv31c/2Yh6Y
-SuEuYvauGdtPbREo7evZU/R3r54uCcNaK8ZpLeZQXRMNKKwBUKRnF1G+lRuVvORj
-abkbrUSfIS/cFKFzcCVzKLCbTpbfJ5JJmjulg5p8KpRS2/R63mAn7JRRDuSa1SJQ
-FgerzSoe4/t0GBCusBs8TsnEQ2X4OdQP95nBL3TANwMUupdX9dBa1h8c8gps1Uak
-xRYsbAANoCPfVUUpLT6WpsYk5X28+sXngVK2BJfoaq5zi2ATfQdBHIedRihCQrTk
-VjXOwE0ESukqTgEIAMNTWjnhzQeyUjGvvcuczhiKWj8lPlLCpN8AF168PNQDFoDC
-Uxdi7S5OKiwwDxm1cUy/gbij6qLazIAgSBRrW5C4dNK+SIAcgtNfLbT5Z/4mlOfg
-ErYH+lAxCNO3k+AzfVU/n0ZShhEuNhVgHc8pDiI/MXCZZKsAJxPFVu7pxiEM7LdT
-sSunzM/jZDrfIU7KBjZdlz0FK8L624+tAJD7WomQ8Ddx3MpOju+ShpP3YqddU0Hx
-jjP1eGkcZibJzKmByQw0r5WX9ePFJ0K86ovWNKTcnDJbUEwhq2s/lJsIsvbcbNaI
-LaOTEiQI2EBy0OB72zrvUcw0Xwaipft0BCwUIN0AEQEAAcLAXwQYAQIACQUCSukq
-TgIbDAAKCRAOtp92/RcVOBcYB/9KXC+CV3GBFZNViBJdPAzGFD5FIcr83riwy2RK
-cbehekBjETfLjSfNzB60HnAeU/l+vIOTsLLu1dk0XehG6Laq4325kIZGmRIIqIzZ
-qMNG/DLmqMwicSnbw+4hJLU6GQdLNXu0fGDjK4NuZ0yRur0e2JHbgKNgFDnttJx/
-ER6Q1SfaIKZSKSd46EFYX2f63Uu7w+yIgvpQCaRUG7Lqz7NJVxxCiF+qRdVEY2E3
-hhyG1DGAMMXETV2Hp7SoBmQjAqqwAy1aLwyyNgn1Ft38T+6/IBMGQHMnBcWfOd41
-LoKR7XroVADNIdggJawYzZNyU6clw/O1if5vSURumLeul13T
-=p7ZF
------END PGP PUBLIC KEY BLOCK-----
-EOF
-
-echo "Validating signature"
-if ! (gpgv --keyring "${WORK_DIR}"/keyring "${bin_file}.asc" "${bin_file}" 2> /dev/null); then
-  echo "ERROR: The signature could not be verified"
-  exit 1
-fi
+echo "Archiving Trino"
+git -C "trino-${VERSION}" archive "${VERSION}" --format=tar.gz --prefix="trino-server-${VERSION}-src/" > "${src_file}"
+sha256sum "${src_file}" | cut --delimiter=' ' --field=1 > "${src_file}.sha256"
 
 echo "Uploading everything to Nexus"
 EXIT_STATUS=0
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${bin_file}" 'https://repo.stackable.tech/repository/packages/trino-server/' || EXIT_STATUS=$?
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${bin_file}.asc" 'https://repo.stackable.tech/repository/packages/trino-server/' || EXIT_STATUS=$?
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${bin_file}.sha1" 'https://repo.stackable.tech/repository/packages/trino-server/' || EXIT_STATUS=$?
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}" 'https://repo.stackable.tech/repository/packages/trino-server/' || EXIT_STATUS=$?
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}.sha256" 'https://repo.stackable.tech/repository/packages/trino-server/' || EXIT_STATUS=$?
 
 if [ $EXIT_STATUS -ne 0 ]; then
   echo "ERROR: Upload failed"

upload_new_jmx_exporter_version.sh

@@ -21,20 +21,28 @@ fi
 
 # deletes the temp directory
 function cleanup {
-  rm -rf "$WORK_DIR"
+    rm -rf "$WORK_DIR"
 }
 
 # register the cleanup function to be called on the EXIT signal
 trap cleanup EXIT
 
 cd "$WORK_DIR" || exit
 
+src_file=jmx_prometheus-$VERSION-src.tar.gz
+
 # JMX Exporter does not currently publish signatures or SBOMs (as of 2023-07-24, latest version at this point 0.19.0)
 echo "Downloading JMX Exporter"
-curl --fail -LOs "https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/$VERSION/jmx_prometheus_javaagent-$VERSION.jar"
+# JMX Exporter provides no offficial source tarballs, download from Git
+git clone https://github.com/prometheus/jmx_exporter "jmx_prometheus-${VERSION}" "--branch=${VERSION}" --depth=1
+
+echo "Archiving JMX Exporter"
+git -C "jmx_prometheus-${VERSION}" archive "${VERSION}" --format=tar.gz --prefix="jmx_prometheus-${VERSION}-src/" > "${src_file}"
+sha256sum "${src_file}" | cut --delimiter=' ' --field=1 > "${src_file}.sha256"
 
 echo "Uploading to Nexus"
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "jmx_prometheus_javaagent-$VERSION.jar" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}.sha256" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
 
 echo "Successfully uploaded new version of JMX Exporter ($VERSION) to Nexus"
 echo "https://repo.stackable.tech/service/rest/repository/browse/packages/jmx-exporter/"