You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by "Mark R. Diggory" <md...@latte.harvard.edu> on 2004/01/30 15:34:30 UTC

Re: question re. signature plugin

I'm going to forward this to the maven list as well so other know the 
details.

The signature plugin I was working on earlier in the week is based on 
the BouncyCastle OpenPGP api. I'm since convinced that there are allot 
of headaches in this approach.

1.) Gpg stores its private/public keys in a separate file format than 
most of these OpenPGP java implementations use them. If most people are 
using/generating their keys in GPG this is a usability issue that 
creates headaches for them.

2.) Cross Verifying signatures between Gpg, BouncyCastle and Cryptix was 
very disturbing, depending on the algorithm used to generate the key 
there was allot of failure.

So, at this point I've come to the conclusion that these OpenPgp java 
packages are a little too bleeding edge for this. I've settled on 
calling Gpg directly using ant exec tasks for the time being.

maven.gpg.exec=/usr/bin/gpg

<goal name="gpg:sign">
    <ant:exec executable="${maven.gpg.exec}">
       <ant:arg value="-sb ${file}"/>
    </ant:exec>
</goal>

called by %maven gpg:sign -Dfile="foo.jar"

<goal name="gpg:verify">
    <ant:exec executable="${maven.gpg.exec}">
       <ant:arg value="--verify ${signature} ${file}"/>
    </ant:exec>
</goal>

called by %maven gpg:verify -Dsignature="foo.jar.gpg" -Dfile="foo.jar"

ultimately a very trivial wrapper can be written that accepts any gpg 
argument:

  <goal name="gpg:exec">
    <ant:exec executable="${maven.gpg.exec}">
       <ant:arg value="${arg}"/>
    </ant:exec>
  </goal>

called by %maven gpg:exec -Darg="-sb foo.jar"
called by %maven gpg:exec -Darg="--verify foo.jar.gpg foo.jar"

This will allow the user to work with gpg on windows or *nix and by 
configuring these parameters in maven, set it up to work on their 
system. They use the same commands to exec gpg through maven/ant as on 
the command line. Not very brilliant, but I guess it really doesn't need 
to be.

I'll be authoring up a plugin that will have this stuff in it, but for 
now, you could just drop the above into your maven.xml/build.properties.

-Mark

Stephen McConnell wrote:
> 
> Hi Mark:
> 
> I finally have gpg installed on my windows box and able to sign jars - 
> and now I want to tie this into the build process I'm using for the 
> Merlin project.  What's the status of your plugin?
> 
> Cheers, Steve.
> 

-- 
Mark Diggory
Software Developer
Harvard MIT Data Center
http://www.hmdc.harvard.edu

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org