On Sat, Feb 29, 2020 at 2:55 AM Slawomir Jaranowski <[email protected]> wrote: > > Hi, > > In maven world all artifacts have pgp signature which is created by current > maintainer (from some time pgp signature is required on Maven Central). > > You can verify signatures of all your dependencies, you can also track > which pgp key is used for specific artifact.
Do typical invocations of Maven actually do this? That is, if the signature of a downloaded artifact doesn't match does maven fail the build? If the signature has changed, will Maven fail the build? Or if the signer has changed? If not, is there a switch that can turn this on? There is a now well documented third party plugin to do some of this, but it's not clear exactly how it operates. E.g. how does it find and verify the right public key with which to verify a signature? https://www.simplify4u.org/pgpverify-maven-plugin/ -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
