What real problem is behind your question? Are you running any tool which has a problem with signatures in Nexus or the development process in your company has a problem?
The MD5 is not security nothing but verification of deployed artifact is identical binary you have downloaded from Nexus, and however GnuPG *.asc is the real signature of deployer and the KEYS can be found in Apache projects if really necessary. You should be always able to verify gpg signatures via (gpg --verify your-artifact-file.sig your-artifact-file) without adding (<signed-by algoritm="sha256">XXX</signed-by>) in POM. On Mon, Dec 5, 2016 at 1:56 AM, John Patrick <[email protected]> wrote: > Hiya, > > So currently checksum's are not generated by default... I've submitted > a ticket which switched the install plugin to generate them by > default. > > Next step stop using md5 which most have considered dead for several > years, and checking apache > (https://www.apache.org/dev/release-signing.html) sha512 should be > being used. > > So either; > 1) add support so md5, sha1, sha256 and sha512 are all generated > 2) plugin defines which is generated > 3) plugin defines a list which are generated > 4) settings.xml defines which is generated > 5) settings.xml defines a list which are generated? > > Thoughts??? > > Next; > Currently when downloading we have ignore, warn or error if checksum's > don't match. I propose adding a checksum min level options? i.e. allow > MD5 > SHA1, SHA256 > SHA512 > > So; > 1) Default to MD5 > 2) Wait till all maven plugins deploy a sha512 to central > 3) Switch default to SHA512 > > What are developers thoughts? > What staged steps should this be merged as? > > I would like to start helping getting the core maven and all of it's > dependencies more secure so people can start trusting maven is secure > by default as I get the feeling isn't at the moment. > > Cheers, > John > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
