On Tue May 5 2009 7:47:04 am Benjamin Bentmann wrote: > Daniel Kulp wrote: > > This is just a warning that the Maven team has just discovered an > > interaction problem between Maven 2.1 and the maven-gpg-plugin that CAN > > result in the signatures for the installed/deployed poms being invalid. > > Signatures for the other artifacts (jars, wars, etc..) are unaffected and > > not all poms are affected. > > I guess you mean the new VersionExpressionTransformation that has been > added for MNG-3057 and resolves version properties on-the-fly in the POM > during installation?
Yep. That's the issue. Basically, if the installer/deployer do anything to modify/generate files, that will affect GPG and is probably not a good idea. Longer term, we probably need to find a better way to deal with this situation to make sure any files are properly generated earlier so gpg and others can properly validate/sign them. Personally, I'd love to see a "pre-install" phase where GPG could properly live and a semi-official "don't generate/modify anything after that phase" kind of policy put in place. Obviously, that's not really a 2.0.x/2.1.x type option though. :-( > > Thus, at this point, it's advisable to either use Maven 2.0.10 for > > releases or verify, check, and resign any affected poms. > > I just re-checked and the POM for maven-shade-plugin:1.2.1 that I > released not long ago with Maven 2.1.0 suffers from this. What's the > process of fixing the signature on central? With the Nexus releases, I have no idea. For the stuff that affected me (the latest CXF releases), I resigned all the poms, reuploaded the *.asc* files to people.apache.org and then forced a manual resync to central. Not sure how to handle that with Nexus stuff. > > The Maven team is aware of the situation and is working on a fix. > > A corresponding JIRA is still outstanding, likely due to unclear target > project, right? Possibly something we want to consider for inclusion in > 2.2? I've create a JIRA for MGPG and attached a patch: http://jira.codehaus.org/browse/MGPG-14 that seems to allow the sigs to be OK for Maven 2.1.0 as well as 2.0.9 and 2.0.10. However, it's semi-hacky and I'd like a couple of the other maven devs to take a quick look and "ok it" before I commit it. -- Daniel Kulp [email protected] http://www.dankulp.com/blog --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
