On Mon, Aug 22, 2011 at 12:30 PM, Sergiu Dumitriu <[email protected]> wrote:
> On 08/15/2011 12:04 PM, Caleb James DeLisle wrote: > >> >> >> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote: >> >>> On 08/15/2011 11:19 AM, Vincent Massol wrote: >>> >>>> Hi, >>>> >>>> I think we should start signing our artifacts using PGP as explained >>>> here: >>>> https://docs.sonatype.org/**display/Repository/How+To+** >>>> Generate+PGP+Signatures+With+**Maven<https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven> >>>> >>>> Here's my +1 >>>> >>> >>> +1. >>> >>> Do we use only one key, installed on the release machine? It should be >>> protected by a strong passphrase. >>> >> >> +1 >> I really don't like the "one key on the release box" idea. >> IMO each release manager should sign with their key which ofc never leaves >> their own computer. >> >> > The problem with this is that the GPG signing is supposed to happen during > mvn release:perform, which happens on the agent machine. > > There are two options: > - temporarily install the personal private key on the server > - release from the local computer > > Is there a way to tunnel the GPG signing to the local computer? > > Found this: http://lists.gnupg.org/pipermail/gnupg-users/2010-July/039112.html > > >> >>> >>>> Thanks >>>> -Vincent >>>> >>>> PS: I we agree I can commit the changes required to our top level POM to >>>> implement this (I have them locally already) >>>> >>> >>> PS2: When's the release user ready on one of the new agents? >>> >>> > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu/ > -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
