You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Herve Boutemy (Jira)" <ji...@apache.org> on 2023/04/29 09:22:00 UTC
[jira] [Created] (MNG-7776) don't fingerprint Sigstore signatures (like GPG)
Herve Boutemy created MNG-7776:
----------------------------------
Summary: don't fingerprint Sigstore signatures (like GPG)
Key: MNG-7776
URL: https://issues.apache.org/jira/browse/MNG-7776
Project: Maven
Issue Type: Improvement
Affects Versions: 4.0.0-alpha-5, 3.9.1
Reporter: Herve Boutemy
Assignee: Herve Boutemy
Maven repository format requires .md5 and .sha1 fingerprints/checksums for every artifact: https://maven.apache.org/repository/layout.html
.GPG signature (.asc) is not considered as an artifact, and it does not require these fingerprints
While working on Sigstore support in addition to GPG, the same should be done for Sigstore signatures: no fingerprint for .sigstore files (like no GPG signature for Sigstore signature: see GPG-86)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)