Re: Mojo for validating PGP signature

Tue, 22 Jul 2008 02:31:14 -0700

So, I had a look at the code wagon manager code and it looks pretty much as I'd have expected. I was not able to find the WagonOpenPgpSignatureVerifierObserver class. Could you point me to that? 

Thanks.

Brett Porter wrote:

Hi Chad,

2008/7/22 Chad La Joie <[EMAIL PROTECTED]>:

Thanks Brett, this was the info I was looking for.

The repo security work looks like it's a ways out.  Would you be amenable to
a patch to the DefaultWagonManager that did PGP signature validation?  My
current thinking would be to base the code on the bouncycastle PGP support
(so that PGP isn't required to be installed on the system) and offer a set
of maven config properties for locating the keyring, whether the signature
is required, etc.  Famous last words, but it doesn't seem like it should be
too difficult, looking at the existing code.


Actually, this is the approach I already took. If you take a look at
this branch:
http://svn.apache.org/repos/asf/maven/artifact/branches/MNG-2477
it is already implemented.

I'm currently working through the configuration in this branch:
http://svn.apache.org/repos/asf/maven/components/branches/MNG-2477

Are you interested in taking it for a spin? I'm happy to keep
discussing it here, in the JIRA issue, or even better on
[EMAIL PROTECTED]

Thanks,
Brett


Brett Porter wrote:

You might be interested in the work linked from this page:
http://docs.codehaus.org/display/MAVEN/Repository+Security

It would certainly be a useful addition to add a preliminary check
mojo to the existing gpg plugin as well.

The code you are referring to is the DefaultWagonManager in
maven-artifact (maven-artifact-manager in 2.0.x).

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[EMAIL PROTECTED], http://www.switch.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[EMAIL PROTECTED], http://www.switch.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to