> There is no good solution here. Really.
sure - I understand that. All I am trying to think of is something as
secure as your proposal, but less intrusive to the user. Or at least a
decent way to aid them with tools.
Really, I've been in favour of using bouncycastle and PGP for a long
time, so I guess the time has come to finally bite down and implement
> Or team's security person doesnt believe in anything
> other than clean build code, tagged CVS releases, with personal
That's actually not too bad as they publish all that built stuff to
the company repository and don't have to do any of this :)
> The only reason I can get away with coding the maven lib
> support is that he is away right now...
> The best source of keys (both SHA1 and MD5) will be the PGP signed
> announcements of releases. That puts PGP at the base of the trust
> chain. but we cant automated PGP checks without bouncycastle on the
I realise this is not something that can be OOTB with Ant, but I'm
sure security conscious folks would be happy to add it. For Maven, I
definitely want to go down this path so we can make signing the
release part of the deployment process too.
Anyway, I'll let the list know if I or someone else in the team
finally get to the point of moving on it.