You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by "Mark R. Diggory" <md...@latte.harvard.edu> on 2004/01/30 15:34:30 UTC
Re: question re. signature plugin
I'm going to forward this to the maven list as well so other know the
details.
The signature plugin I was working on earlier in the week is based on
the BouncyCastle OpenPGP api. I'm since convinced that there are allot
of headaches in this approach.
1.) Gpg stores its private/public keys in a separate file format than
most of these OpenPGP java implementations use them. If most people are
using/generating their keys in GPG this is a usability issue that
creates headaches for them.
2.) Cross Verifying signatures between Gpg, BouncyCastle and Cryptix was
very disturbing, depending on the algorithm used to generate the key
there was allot of failure.
So, at this point I've come to the conclusion that these OpenPgp java
packages are a little too bleeding edge for this. I've settled on
calling Gpg directly using ant exec tasks for the time being.
maven.gpg.exec=/usr/bin/gpg
<goal name="gpg:sign">
<ant:exec executable="${maven.gpg.exec}">
<ant:arg value="-sb ${file}"/>
</ant:exec>
</goal>
called by %maven gpg:sign -Dfile="foo.jar"
<goal name="gpg:verify">
<ant:exec executable="${maven.gpg.exec}">
<ant:arg value="--verify ${signature} ${file}"/>
</ant:exec>
</goal>
called by %maven gpg:verify -Dsignature="foo.jar.gpg" -Dfile="foo.jar"
ultimately a very trivial wrapper can be written that accepts any gpg
argument:
<goal name="gpg:exec">
<ant:exec executable="${maven.gpg.exec}">
<ant:arg value="${arg}"/>
</ant:exec>
</goal>
called by %maven gpg:exec -Darg="-sb foo.jar"
called by %maven gpg:exec -Darg="--verify foo.jar.gpg foo.jar"
This will allow the user to work with gpg on windows or *nix and by
configuring these parameters in maven, set it up to work on their
system. They use the same commands to exec gpg through maven/ant as on
the command line. Not very brilliant, but I guess it really doesn't need
to be.
I'll be authoring up a plugin that will have this stuff in it, but for
now, you could just drop the above into your maven.xml/build.properties.
-Mark
Stephen McConnell wrote:
>
> Hi Mark:
>
> I finally have gpg installed on my windows box and able to sign jars -
> and now I want to tie this into the build process I'm using for the
> Merlin project. What's the status of your plugin?
>
> Cheers, Steve.
>
--
Mark Diggory
Software Developer
Harvard MIT Data Center
http://www.hmdc.harvard.edu
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org