You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Slawomir Jaranowski (Jira)" <ji...@apache.org> on 2021/03/01 15:45:00 UTC
[jira] [Commented] (MGPG-74) Signing based on InputStream
[ https://issues.apache.org/jira/browse/MGPG-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292972#comment-17292972 ]
Slawomir Jaranowski commented on MGPG-74:
-----------------------------------------
The spike as new plugin for this issue was done:
https://github.com/apache/maven-studies/tree/maven-sign-plugin
Based on code from studies new plugin was released:
https://github.com/s4u/sign-maven-plugin
> Signing based on InputStream
> ----------------------------
>
> Key: MGPG-74
> URL: https://issues.apache.org/jira/browse/MGPG-74
> Project: Maven GPG Plugin
> Issue Type: New Feature
> Reporter: Robert Scholte
> Priority: Major
>
> The current implementation uses the gpg executable with a set of arguments to sign files. Maven is working on a build/consumer process, where the local pom.xml is not exactly the same as the distributed pom.xml.
> With [FileTransformer|https://maven.apache.org/resolver/apidocs/org/eclipse/aether/transform/FileTransformer.html] any file can be transformed its result should be the signed.
> Based on https://www.openpgp.org/software/developer/ BouncyCastle (MIT Licensed) seems to be preferred option for Java.
> There should be a second implementation of AbstractGpgSigner using this library.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)