You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@archiva.apache.org by Wendy Smoak <ws...@gmail.com> on 2010/08/31 00:11:36 UTC
GPG signature verification on proxied artifacts?
Can Archiva verify GPG signatures on proxied artifacts? It would be
like http://jira.codehaus.org/browse/MRM-212 but for GPG signatures.
I can only find the reference docs for "GPG Signature Consumers"
http://archiva.apache.org/ref/1.3.1/archiva-base/archiva-consumers/archiva-signature-consumers/
. What are these for?
--
Wendy
Re: GPG signature verification on proxied artifacts?
Posted by Brett Porter <br...@apache.org>.
On 31/08/2010, at 8:11 AM, Wendy Smoak wrote:
> Can Archiva verify GPG signatures on proxied artifacts? It would be
> like http://jira.codehaus.org/browse/MRM-212 but for GPG signatures.
Not at this stage. This would be relatively simple to do based on the work I did for Maven some time back, if we decide on the rules around it. You could use a pre-loaded keyring, or you could add servers to retrieve keys from automatically. Once you have a loaded keyring, it's quite straightforward to hook into that mechanism.
If you're interested in some help to implement it, let's discuss on dev@ :)
>
> I can only find the reference docs for "GPG Signature Consumers"
> http://archiva.apache.org/ref/1.3.1/archiva-base/archiva-consumers/archiva-signature-consumers/
> . What are these for?
I think they were for generating missing ones, like the checksums. It's not implemented (and a bit shortsighted, since you don't typically have a key on the server to do so). The module should really be removed.
- Brett
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/