Hi On the weekend I will have some spare time, so I can do something about it ..
My questions: - are there git repository, jira project for new plugin - does anybody working on it now - what is progress - if you want to use Apache Common OpenGPG, I think should be refreshed first - is there git repo for it czw., 24 wrz 2020 o 18:57 Robert Scholte <rfscho...@apache.org> napisał(a): > Thanks for the offer. > Signing is very delicate process, so I appreciate the extra help. > > thanks, > Robert > On 21-9-2020 09:14:54, Slawomir Jaranowski <s.jaranow...@gmail.com> wrote: > Hi > > I have some experience in case of verifying pgp signatures using Bouncy > Castle during work on my pgpverify-maven-plugin. > So If you would, I can try to help with the sign plugin. > > Let me know if you are interested. > > niedz., 20 wrz 2020 o 20:38 Robert Scholte > napisał(a): > > > With the next release of Maven the current maven-gpg-plugin will become > > useless. > > With the build//consumer pom, the local pom will be different compared to > > the uploaded pom. > > However, the maven-gpg-plugin now uses the pom.xml of the local project. > > (btw, the plugin uses the gpg commandline with a bunch of arguments. The > > stdio is used for passing the passphrase, you cannot stream the file via > > commandline) > > > > In Maven 3.6.x changes have been made to support InputStream next to > File. > > This way we don't have to create a backdoor of writing a temporary file, > > which is likely to cause issues with very creative plugin/extension > > writers. Instead we should do in memory signing. > > > > It would make sense to introduce a new plugin, and during a discussion > > with the PMC the idea of maven-sign-plugin was proposed (a much better > > alternative campared to maven-gpg2-plugin) > > > > Dennis Lundberg started a POC based on Apache Common OpenGPG, however, it > > is still in the sandbox[1] > > > > Olivier Lamy already discovered that signing doesn't work with the > current > > Maven 3.7.0-SNAPSHOT. > > Before we can even start thinking of an alpha-release, this issue must be > > fixed, because signing is a critical step for sharing artifacts. > > > > I'm still struggling with MNG-6957, but in parallel a few should be able > > implement this. > > > > Anybody willing to make this work? > > > > thanks, > > Robert > > > > [1] http://commons.apache.org/sandbox/commons-openpgp/ [ > > http://commons.apache.org/sandbox/commons-openpgp/] > > > > > -- > Sławomir Jaranowski > -- Sławomir Jaranowski
