Hi Andy, Thanks for bringing this up and looking into the mechanics of how to get it working. I am a +1 for signing our maven artifacts.
Thanks, Kevin On Wed, May 29, 2019 at 6:09 PM Andy LoPresto <[email protected]> wrote: > > Hi folks, > > I am writing to propose updating our release process to include signing > artifacts with GPG. Currently we sign the full build (i.e. > nifi-x.y.z-source-release.tar.gz) with the GPG key of the release manager, > and the corresponding public key is available in our KEYS file, hosted by > Apache. My proposal is that we complement this by signing the individual > Maven modules as well, so that consuming projects (ourselves included) can > verify that the code they are running was what was published. I’ve included a > few links below [1][2][3][4][5][6][7] that hopefully answer preliminary > questions about the process, but I am happy to have further discussion here > as well. > > I also volunteer to assist with whoever RMs the next release to ensure the > process goes smoothly and we document the necessary steps and update our > Release Guide [8]. > > > [1] https://maven.apache.org/plugins/maven-gpg-plugin/usage.html > <https://maven.apache.org/plugins/maven-gpg-plugin/usage.html> > [2] > https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it > > <https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it> > [3] > http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/ > > <http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/> > [4] > https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/ > <https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/> > [5] > https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files > > <https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files> > [6] https://www.simplify4u.org/pgpverify-maven-plugin/ > <https://www.simplify4u.org/pgpverify-maven-plugin/> > [7] https://central.sonatype.org/pages/working-with-pgp-signatures.html > <https://central.sonatype.org/pages/working-with-pgp-signatures.html> > [8] https://nifi.apache.org/release-guide.html > <https://nifi.apache.org/release-guide.html> > > > Andy LoPresto > [email protected] > [email protected] > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >
