There no plugin yet, but I suggest to start with a branch under https://github.com/apache/maven-studies before making an official new repository.
Let me quote 2 points mentioned by Stephen Connolly, which we still need to address: - If we switch to bouncycastle based, we will now own the key storage. This is both good and bad. * People who have their keys stored in gpg2 will have a “fun time” extracting them... or else we will have to do the dance of extracting them ourselves. * If we “own” the key storage, publishing keys to a key registry and generating keys may become our problem from the user’s perspective. * One of the biggest complaints about publishing on central has been the difficulty of gpg signing. New users will likely thank us if we make it easier. - PGP functionality provider security issues become our problem. Before, users could independently upgrade the gpg CLI tooling to work past security issues (causing it’s own issues as CLI options changed from gpg1 to gpg2). With this plugin, the pgp provider version will be baked into the pom. How will users be able to assure their security team that signatures have been made in the version without a security issue? thanks, Robert On 25-9-2020 15:35:01, Slawomir Jaranowski <s.jaranow...@gmail.com> wrote: Hi On the weekend I will have some spare time, so I can do something about it .. My questions: - are there git repository, jira project for new plugin - does anybody working on it now - what is progress - if you want to use Apache Common OpenGPG, I think should be refreshed first - is there git repo for it czw., 24 wrz 2020 o 18:57 Robert Scholte napisał(a): > Thanks for the offer. > Signing is very delicate process, so I appreciate the extra help. > > thanks, > Robert > On 21-9-2020 09:14:54, Slawomir Jaranowski wrote: > Hi > > I have some experience in case of verifying pgp signatures using Bouncy > Castle during work on my pgpverify-maven-plugin. > So If you would, I can try to help with the sign plugin. > > Let me know if you are interested. > > niedz., 20 wrz 2020 o 20:38 Robert Scholte > napisał(a): > > > With the next release of Maven the current maven-gpg-plugin will become > > useless. > > With the build//consumer pom, the local pom will be different compared to > > the uploaded pom. > > However, the maven-gpg-plugin now uses the pom.xml of the local project. > > (btw, the plugin uses the gpg commandline with a bunch of arguments. The > > stdio is used for passing the passphrase, you cannot stream the file via > > commandline) > > > > In Maven 3.6.x changes have been made to support InputStream next to > File. > > This way we don't have to create a backdoor of writing a temporary file, > > which is likely to cause issues with very creative plugin/extension > > writers. Instead we should do in memory signing. > > > > It would make sense to introduce a new plugin, and during a discussion > > with the PMC the idea of maven-sign-plugin was proposed (a much better > > alternative campared to maven-gpg2-plugin) > > > > Dennis Lundberg started a POC based on Apache Common OpenGPG, however, it > > is still in the sandbox[1] > > > > Olivier Lamy already discovered that signing doesn't work with the > current > > Maven 3.7.0-SNAPSHOT. > > Before we can even start thinking of an alpha-release, this issue must be > > fixed, because signing is a critical step for sharing artifacts. > > > > I'm still struggling with MNG-6957, but in parallel a few should be able > > implement this. > > > > Anybody willing to make this work? > > > > thanks, > > Robert > > > > [1] http://commons.apache.org/sandbox/commons-openpgp/ [ > > http://commons.apache.org/sandbox/commons-openpgp/] > > > > > -- > Sławomir Jaranowski > -- Sławomir Jaranowski
