Ivy indeed doesn't handle signature validation. The "validation" is currently limited to checksums.
Gilles Scokart 2009/4/15 Ray Racine <[email protected]> > Trying to understand the Ivy way of setting up > internal/shared/professional/enterprise repositories. > > I've looked through the Best Practices, examples etc. and the one thing I > keep looking for is the verification aspect. Its one of those things "you > know it has to be there somewhere" but I can't find it. Let's say I want > to > create an internal repository and as part of the process verify the jars > using PGP, MD5 or SHA-1 sigs. Is this something supported by Ivy or are > there other Ant tasks and scripts everyone is using that support this? > Right now the best I can come up with would be something like this. > > - Create a local Stage Repository and populate it from public (Maven et > al) > repos via an Ant script with itemized Install tasks for each artifact. > - Manually obtain sigs or keys from a non-mirror and verify a jar > one-by-one. > - Use another Ant script to move via an Install task a verified jar into > MyEnterpriseRepo. > - Then to avoid all this manual work, start building a tedious set of Ant > scripts to fetch KEYS etc via fetch tasks and verify all Stage Repo. > artifacts etc... > > What I've been searching for is some settings capability where for each > artifact I can tell Ivy the expect PGP or SHA-1 and avoid the Stage > Repository, in other words, Ivy will refuse to install an artifact info > MyEnterpriseRepo which fails to verify. > > How is everyone dealing with the verification aspect?? > > Thanks, > > Ray >
