You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Slawomir Jaranowski (Jira)" <ji...@apache.org> on 2021/03/01 15:45:00 UTC

[jira] [Commented] (MGPG-74) Signing based on InputStream

    [ https://issues.apache.org/jira/browse/MGPG-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292972#comment-17292972 ] 

Slawomir Jaranowski commented on MGPG-74:
-----------------------------------------

The spike as new plugin for this issue was done: 
https://github.com/apache/maven-studies/tree/maven-sign-plugin

Based on code from studies new plugin was released:
https://github.com/s4u/sign-maven-plugin

> Signing based on InputStream
> ----------------------------
>
>                 Key: MGPG-74
>                 URL: https://issues.apache.org/jira/browse/MGPG-74
>             Project: Maven GPG Plugin
>          Issue Type: New Feature
>            Reporter: Robert Scholte
>            Priority: Major
>
> The current implementation uses the gpg executable with a set of arguments to sign files. Maven is working on a build/consumer process, where the local pom.xml is not exactly the same as the distributed pom.xml.
> With [FileTransformer|https://maven.apache.org/resolver/apidocs/org/eclipse/aether/transform/FileTransformer.html] any file can be transformed its result should be the signed.
> Based on https://www.openpgp.org/software/developer/ BouncyCastle (MIT Licensed) seems to be preferred option for Java.
> There should be a second implementation of AbstractGpgSigner using this library. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)