You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Herve Boutemy (Jira)" <ji...@apache.org> on 2023/04/29 09:22:00 UTC

[jira] [Created] (MNG-7776) don't fingerprint Sigstore signatures (like GPG)

Herve Boutemy created MNG-7776:
----------------------------------

             Summary: don't fingerprint Sigstore signatures (like GPG)
                 Key: MNG-7776
                 URL: https://issues.apache.org/jira/browse/MNG-7776
             Project: Maven
          Issue Type: Improvement
    Affects Versions: 4.0.0-alpha-5, 3.9.1
            Reporter: Herve Boutemy
            Assignee: Herve Boutemy


Maven repository format requires .md5 and .sha1 fingerprints/checksums for every artifact: https://maven.apache.org/repository/layout.html

.GPG signature (.asc) is not considered as an artifact, and it does not require these fingerprints

While working on Sigstore support in addition to GPG, the same should be done for Sigstore signatures: no fingerprint for .sigstore files (like no GPG signature for Sigstore signature: see GPG-86)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)