> Would we be talking about "gpg --armor --output
> commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is
> there some other mechanism we would need to go through?

This is what I'd intended to do in Wagon using Bouncycastle. And as
Steve mentions, it can be at the users discretion: skip it, check it
from the same location, check it, getting keys from a specified
trusted location, only trust if the key is already in my keychain are
probably the levels.

- Brett

Reply via email to