On Fri, 4 Feb 2005 14:42:54 -0500, Henri Yandell <[EMAIL PROTECTED]> wrote:
> On Wed, 12 Jan 2005 21:01:41 +0000, Steve Loughran
> <[EMAIL PROTECTED]> wrote:
> > We do need to make it easy to sign stuff.
> I'm new to the list, so I could be missing a lot of context.
> I think the most important thing to do is to make it easy to check the
> signature of stuff.
> I know this will mainly be an issue for Maven/Ant/whatever when they
> download the stuff, but repository could maintain a tight Java
> implementation that can be used to check things automatically?
Yes, it is absolutely imperative to me that out the box ant and maven
can verify that things were signed/hashed by someone they trust
That means we cannot just rely on a GnuPG signature and the presence
of GPG everywhere; we need a signed MD5 that we can also verify in
Java. We probably cant even use the Bouncy Castle crypto libs as they
are (a) extra and (b) incur interesting export laws when served from
US servers (which is why they are served up in the UK where we dont
have such laws, just a home secretary who wants to put people under
indefinate house arrest and give us all identity cards)
We cant use Java JAR signing as that has too many side effects on the
JAR and the JVM, as well as being JAR specific. But we ought to be
able to use javax.crypto APIs to sign the MD5 with some cert we have,
a certificate we pre-include with the appropriate tools (and we should
have a standalone library too for anyone else).