[not too happy with the terminology used here. Open to suggestions] Overview ========
This proposal extends the URI Syntax proposal: http://nagoya.apache.org/wiki/apachewiki.cgi?ASFRepository/URISyntax Signature artifacts are artifacts used to verify the integrity of another artifact. These include PGP/GPG signatures and keys, MD5 and SHA checksums. The key aims of this proposal are to: . formalise artifact-specifier for signature artifacts; . provide a set of best practices for such artifacts; and . enable tools to construct a URI to unambigously locate a particular signature artifact using a set of known criteria URI Components ============== An absolute repository URI is written as follows: repository-uri = access-specifier "/" product-specifier "/" version-specifier "/" artifact-specifier For signature artifacts, artifact-specifier is: artifact-specifier = signature-artifact-specifier signature-artifact-specifier = key-artifact | integrity-artifact Key artifacts ------------- For artifacts digitally signed using PGP/GPG, there is an associated KEYS artifact. key-artifact = pgp-keys pgp-keys = "pgp/KEYS" E.g: http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS Integrity artifacts ------------------- Each artifact may have an associated integrity artifact: integrity-artifact = artifact-specifier "." sig-type sig-type = "pgp" | "md5" | "sha" Where: . pgp indicates the artifact was digitally signed using PGP/GPG . md5 indicates an md5 checksum . sha indicates a SHA checksum E.g: The artifact: http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar may have integrity artifacts: http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.md5 http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.pgp http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.sha Rationale ========= Integrity artifacts located alongside artifacts ----------------------------------------------- This approach enables integrity artifacts to be located easily. Tool support ============ Key artifacts ------------- Tools can unambigously locate a key artifact given the project-version URI and signature type. E.g, given: uri = http://repo.apache.org/apache/ant/1.5.4/ sig-type = "pgp" The key artifact URI would be: uri = http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS Integrity artifacts ------------------- Tools can unambigously locate an integrity artifact given the repository URI of the associated artifact, and the signature type. E.g, given: uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar sig-type = "md5" The integrity artifact URI would be: uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.md5
