Use sha256 checksums to verify maven dependencies (#2998)

Use sha256 checksums to verify maven dependencies.

.mvn/maven.config

@@ -3,6 +3,6 @@
 -Daether.trustedChecksumsSource.summaryFile.basedir=${session.rootDirectory}/.mvn/checksums/
 # post processor: trusted checksums
 -Daether.artifactResolver.postProcessor.trustedChecksums=true
--Daether.artifactResolver.postProcessor.trustedChecksums.checksumAlgorithms=SHA-512
+-Daether.artifactResolver.postProcessor.trustedChecksums.checksumAlgorithms=SHA-256
 -Daether.artifactResolver.postProcessor.trustedChecksums.failIfMissing=true
 -Daether.artifactResolver.postProcessor.trustedChecksums.snapshots=false

BUILD.md

@@ -86,9 +86,14 @@ The API doc is generated via slate and hosted on github pages. To make a change
 
 ## Updating Eclair dependencies checksums
 
-Eclair dependencies (including maven plugins and their dependencies) are verified against a list of trusted checksums (located in `.mvn/checksums/checksums-central.sha512`).
+Eclair dependencies (including maven plugins and their dependencies) are verified against a list of trusted checksums (located in `.mvn/checksums/checksums-central.sha256`).
 Please note that dependencies are verified only if they are actually used in the build phase that is running, so you may be able to modify the checksum of a dependency 
 and still run a successful build phase that does not use them (for example you can modify the checksum of a `maven-deploy-plugin` dependency and still run `./mvnw test` successfully).
 To make local development and testing easier, SNAPSHOT dependencies are not verified.
 
-To upgrade a dependency or add a new one you must update this list by running maven with the following option: `-Daether.artifactResolver.postProcessor.trustedChecksums.record`.
+To re-create the trusted checksums file, run:
+
+```shell
+$ rm ~/.m2/wrapper ~/.sbt -rf
+$ ./mvnw clean install scoverage:report -DskipTests -Daether.artifactResolver.postProcessor.trustedChecksums.record
+```