> Would we be talking about "gpg --armor --output > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is > there some other mechanism we would need to go through?
This is what I'd intended to do in Wagon using Bouncycastle. And as Steve mentions, it can be at the users discretion: skip it, check it from the same location, check it, getting keys from a specified trusted location, only trust if the key is already in my keychain are probably the levels. - Brett