On 31/08/2010, at 8:11 AM, Wendy Smoak wrote: > Can Archiva verify GPG signatures on proxied artifacts? It would be > like http://jira.codehaus.org/browse/MRM-212 but for GPG signatures.
Not at this stage. This would be relatively simple to do based on the work I did for Maven some time back, if we decide on the rules around it. You could use a pre-loaded keyring, or you could add servers to retrieve keys from automatically. Once you have a loaded keyring, it's quite straightforward to hook into that mechanism. If you're interested in some help to implement it, let's discuss on dev@ :) > > I can only find the reference docs for "GPG Signature Consumers" > http://archiva.apache.org/ref/1.3.1/archiva-base/archiva-consumers/archiva-signature-consumers/ > . What are these for? I think they were for generating missing ones, like the checksums. It's not implemented (and a bit shortsighted, since you don't typically have a key on the server to do so). The module should really be removed. - Brett -- Brett Porter [email protected] http://brettporter.wordpress.com/
