Trying to understand the Ivy way of setting up internal/shared/professional/enterprise repositories.
I've looked through the Best Practices, examples etc. and the one thing I keep looking for is the verification aspect. Its one of those things "you know it has to be there somewhere" but I can't find it. Let's say I want to create an internal repository and as part of the process verify the jars using PGP, MD5 or SHA-1 sigs. Is this something supported by Ivy or are there other Ant tasks and scripts everyone is using that support this? Right now the best I can come up with would be something like this. - Create a local Stage Repository and populate it from public (Maven et al) repos via an Ant script with itemized Install tasks for each artifact. - Manually obtain sigs or keys from a non-mirror and verify a jar one-by-one. - Use another Ant script to move via an Install task a verified jar into MyEnterpriseRepo. - Then to avoid all this manual work, start building a tedious set of Ant scripts to fetch KEYS etc via fetch tasks and verify all Stage Repo. artifacts etc... What I've been searching for is some settings capability where for each artifact I can tell Ivy the expect PGP or SHA-1 and avoid the Stage Repository, in other words, Ivy will refuse to install an artifact info MyEnterpriseRepo which fails to verify. How is everyone dealing with the verification aspect?? Thanks, Ray
