On 08/15/2011 12:04 PM, Caleb James DeLisle wrote: > > > On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote: >> On 08/15/2011 11:19 AM, Vincent Massol wrote: >>> Hi, >>> >>> I think we should start signing our artifacts using PGP as explained here: >>> https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven >>> >>> Here's my +1 >> >> +1. >> >> Do we use only one key, installed on the release machine? It should be >> protected by a strong passphrase. > > +1 > I really don't like the "one key on the release box" idea. > IMO each release manager should sign with their key which ofc never leaves > their own computer. >
The problem with this is that the GPG signing is supposed to happen during mvn release:perform, which happens on the agent machine. There are two options: - temporarily install the personal private key on the server - release from the local computer Is there a way to tunnel the GPG signing to the local computer? > >> >>> >>> Thanks >>> -Vincent >>> >>> PS: I we agree I can commit the changes required to our top level POM to >>> implement this (I have them locally already) >> >> PS2: When's the release user ready on one of the new agents? >> -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
