Hi I have some experience in case of verifying pgp signatures using Bouncy Castle during work on my pgpverify-maven-plugin. So If you would, I can try to help with the sign plugin.
Let me know if you are interested. niedz., 20 wrz 2020 o 20:38 Robert Scholte <rfscho...@apache.org> napisał(a): > With the next release of Maven the current maven-gpg-plugin will become > useless. > With the build//consumer pom, the local pom will be different compared to > the uploaded pom. > However, the maven-gpg-plugin now uses the pom.xml of the local project. > (btw, the plugin uses the gpg commandline with a bunch of arguments. The > stdio is used for passing the passphrase, you cannot stream the file via > commandline) > > In Maven 3.6.x changes have been made to support InputStream next to File. > This way we don't have to create a backdoor of writing a temporary file, > which is likely to cause issues with very creative plugin/extension > writers. Instead we should do in memory signing. > > It would make sense to introduce a new plugin, and during a discussion > with the PMC the idea of maven-sign-plugin was proposed (a much better > alternative campared to maven-gpg2-plugin) > > Dennis Lundberg started a POC based on Apache Common OpenGPG, however, it > is still in the sandbox[1] > > Olivier Lamy already discovered that signing doesn't work with the current > Maven 3.7.0-SNAPSHOT. > Before we can even start thinking of an alpha-release, this issue must be > fixed, because signing is a critical step for sharing artifacts. > > I'm still struggling with MNG-6957, but in parallel a few should be able > implement this. > > Anybody willing to make this work? > > thanks, > Robert > > [1] http://commons.apache.org/sandbox/commons-openpgp/ [ > http://commons.apache.org/sandbox/commons-openpgp/] > -- Sławomir Jaranowski
