[ https://issues.apache.org/jira/browse/MNG-7776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736878#comment-17736878 ]
Vladimir Sitnikov commented on MNG-7776: ---------------------------------------- The checksums exits for artifacts, so it is not clear why making a deviation for .sigstore There are non-https servers still used, so having checksums would make sense. > don't fingerprint Sigstore signatures (like GPG) > ------------------------------------------------ > > Key: MNG-7776 > URL: https://issues.apache.org/jira/browse/MNG-7776 > Project: Maven > Issue Type: Improvement > Affects Versions: 3.9.1, 4.0.0-alpha-5 > Reporter: Herve Boutemy > Assignee: Herve Boutemy > Priority: Major > Fix For: 3.9.2, 4.0.0-alpha-7, 4.0.0 > > > Maven repository format requires .md5 and .sha1 fingerprints/checksums for > every artifact: https://maven.apache.org/repository/layout.html > .GPG signature (.asc) is not considered as an artifact, and it does not > require these fingerprints > While working on Sigstore support in addition to GPG, the same should be done > for Sigstore signatures: no fingerprint for .sigstore files (like no GPG > signature for Sigstore signature: see MGPG-86) -- This message was sent by Atlassian Jira (v8.20.10#820010)