You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Marshall Schor <ms...@schor.com> on 2008/02/25 01:22:44 UTC
generating checksums and gpg signing
To create md5 and sha1 hashes, and gpg signatures, we added (in a POM
profile that is conditionally activated) some maven things to sign
(using maven-gpg-plugin) and do checksums (using maven-install-plugin,
version 2.2, which has a createChecksum flag).
It isn't quite working right.
The gpg plugin runs during "verify" lifecycle, right before "install" -
in order to put the xxx.asc file into the /target, so "install" can copy
it to the local repo.
The install:install runs after that, and computes the md5 and sha1
checksums on everything, *including the xxx.asc file*.
Unlike the gpg plugin, it does *not* put these files into /target, but
only puts them into the local maven repository.
I see other projects have figured out how to do this so the checksums
are not added to the xxx.asc (gpg signature) files. How is this done?
-Marshall
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: generating checksums and gpg signing
Posted by Dennis Lundberg <de...@apache.org>.
Marshall Schor wrote:
> To create md5 and sha1 hashes, and gpg signatures, we added (in a POM
> profile that is conditionally activated) some maven things to sign
> (using maven-gpg-plugin) and do checksums (using maven-install-plugin,
> version 2.2, which has a createChecksum flag).
>
> It isn't quite working right.
> The gpg plugin runs during "verify" lifecycle, right before "install" -
> in order to put the xxx.asc file into the /target, so "install" can copy
> it to the local repo.
>
> The install:install runs after that, and computes the md5 and sha1
> checksums on everything, *including the xxx.asc file*.
> Unlike the gpg plugin, it does *not* put these files into /target, but
> only puts them into the local maven repository.
>
> I see other projects have figured out how to do this so the checksums
> are not added to the xxx.asc (gpg signature) files. How is this done?
The next version of maven-install-plugin will have a fix for this:
http://jira.codehaus.org/browse/MINSTALL-48
> -Marshall
--
Dennis Lundberg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org