Ok, I don't want to reinvent the wheels, so How to reach handle to project artifacts list, especially project pom after transformation in plugin code?
Some plugin examples, point which component should I use to achieve this will be great. pt., 25 wrz 2020 o 17:05 Robert Scholte <rfscho...@apache.org> napisał(a): > There no plugin yet, but I suggest to start with a branch under > https://github.com/apache/maven-studies before making an official new > repository. > > Let me quote 2 points mentioned by Stephen Connolly, which we still need > to address: > > - If we switch to bouncycastle based, we will now own the key storage. > This is both good and bad. > * People who have their keys stored in gpg2 will have a “fun time” > extracting them... or else we will have to do the dance of extracting them > ourselves. > * If we “own” the key storage, publishing keys to a key registry and > generating keys may become our problem from the user’s perspective. > * One of the biggest complaints about publishing on central has been the > difficulty of gpg signing. New users will likely thank us if we make it > easier. > > - PGP functionality provider security issues become our problem. Before, > users could independently upgrade the gpg CLI tooling to work past security > issues (causing it’s own issues as CLI options changed from gpg1 to gpg2). > With this plugin, the pgp provider version will be baked into the pom. How > will users be able to assure their security team that signatures have been > made in the version without a security issue? > > thanks, > Robert > On 25-9-2020 15:35:01, Slawomir Jaranowski <s.jaranow...@gmail.com> wrote: > Hi > > On the weekend I will have some spare time, so I can do something about it > .. > > My questions: > - are there git repository, jira project for new plugin > - does anybody working on it now - what is progress > - if you want to use Apache Common OpenGPG, I think should be refreshed > first - is there git repo for it > > > czw., 24 wrz 2020 o 18:57 Robert Scholte napisał(a): > > > Thanks for the offer. > > Signing is very delicate process, so I appreciate the extra help. > > > > thanks, > > Robert > > On 21-9-2020 09:14:54, Slawomir Jaranowski wrote: > > Hi > > > > I have some experience in case of verifying pgp signatures using Bouncy > > Castle during work on my pgpverify-maven-plugin. > > So If you would, I can try to help with the sign plugin. > > > > Let me know if you are interested. > > > > niedz., 20 wrz 2020 o 20:38 Robert Scholte > > napisał(a): > > > > > With the next release of Maven the current maven-gpg-plugin will become > > > useless. > > > With the build//consumer pom, the local pom will be different compared > to > > > the uploaded pom. > > > However, the maven-gpg-plugin now uses the pom.xml of the local > project. > > > (btw, the plugin uses the gpg commandline with a bunch of arguments. > The > > > stdio is used for passing the passphrase, you cannot stream the file > via > > > commandline) > > > > > > In Maven 3.6.x changes have been made to support InputStream next to > > File. > > > This way we don't have to create a backdoor of writing a temporary > file, > > > which is likely to cause issues with very creative plugin/extension > > > writers. Instead we should do in memory signing. > > > > > > It would make sense to introduce a new plugin, and during a discussion > > > with the PMC the idea of maven-sign-plugin was proposed (a much better > > > alternative campared to maven-gpg2-plugin) > > > > > > Dennis Lundberg started a POC based on Apache Common OpenGPG, however, > it > > > is still in the sandbox[1] > > > > > > Olivier Lamy already discovered that signing doesn't work with the > > current > > > Maven 3.7.0-SNAPSHOT. > > > Before we can even start thinking of an alpha-release, this issue must > be > > > fixed, because signing is a critical step for sharing artifacts. > > > > > > I'm still struggling with MNG-6957, but in parallel a few should be > able > > > implement this. > > > > > > Anybody willing to make this work? > > > > > > thanks, > > > Robert > > > > > > [1] http://commons.apache.org/sandbox/commons-openpgp/ [ > > > http://commons.apache.org/sandbox/commons-openpgp/] > > > > > > > > > -- > > Sławomir Jaranowski > > > > > -- > Sławomir Jaranowski > -- Sławomir Jaranowski
