[
https://issues.apache.org/jira/browse/MNG-7776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736878#comment-17736878
]
Vladimir Sitnikov commented on MNG-7776:
----------------------------------------
The checksums exits for artifacts, so it is not clear why making a deviation
for .sigstore
There are non-https servers still used, so having checksums would make sense.
> don't fingerprint Sigstore signatures (like GPG)
> ------------------------------------------------
>
> Key: MNG-7776
> URL: https://issues.apache.org/jira/browse/MNG-7776
> Project: Maven
> Issue Type: Improvement
> Affects Versions: 3.9.1, 4.0.0-alpha-5
> Reporter: Herve Boutemy
> Assignee: Herve Boutemy
> Priority: Major
> Fix For: 3.9.2, 4.0.0-alpha-7, 4.0.0
>
>
> Maven repository format requires .md5 and .sha1 fingerprints/checksums for
> every artifact: https://maven.apache.org/repository/layout.html
> .GPG signature (.asc) is not considered as an artifact, and it does not
> require these fingerprints
> While working on Sigstore support in addition to GPG, the same should be done
> for Sigstore signatures: no fingerprint for .sigstore files (like no GPG
> signature for Sigstore signature: see MGPG-86)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
