[
https://issues.apache.org/jira/browse/MNG-7776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736869#comment-17736869
]
Vladimir Sitnikov commented on MNG-7776:
----------------------------------------
Checksums for {{.sigstore}} files would help for verifying transfer integrity.
For instance, when client pushes artifacts to a server, the server would be
able to verify if the received {{.sigstore}} file is corrupted or not (TCP and
HTTPS do not guarantee file integrity during transfer).
The same goes for receiving the file from the repository: if the repository
serves a checksum, then client can verify the received file is ok, and it is
not truncated or accidentally corrupted.
Skipping the checksum does not make any good, yet it is bad for verifying
integrity.
Of course, it makes no sense to sign {{.sigstore}} files with PGP, however,
that is a completely different story. I would suggest that Maven should
generate checksums for both {{.sigstore}} and {{.asc}} files.
> don't fingerprint Sigstore signatures (like GPG)
> ------------------------------------------------
>
> Key: MNG-7776
> URL: https://issues.apache.org/jira/browse/MNG-7776
> Project: Maven
> Issue Type: Improvement
> Affects Versions: 3.9.1, 4.0.0-alpha-5
> Reporter: Herve Boutemy
> Assignee: Herve Boutemy
> Priority: Major
> Fix For: 3.9.2, 4.0.0-alpha-7, 4.0.0
>
>
> Maven repository format requires .md5 and .sha1 fingerprints/checksums for
> every artifact: https://maven.apache.org/repository/layout.html
> .GPG signature (.asc) is not considered as an artifact, and it does not
> require these fingerprints
> While working on Sigstore support in addition to GPG, the same should be done
> for Sigstore signatures: no fingerprint for .sigstore files (like no GPG
> signature for Sigstore signature: see MGPG-86)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
