Okay. I had read the page but I wasn't clear whether you meant that
configured keyring to be where the verifier looked for a specified key
or if you expected the verifier to iterate over those keys. I'm gllad
it was the second option.
I think this pretty much covers what I was expecting then.
I already have a repo with PGP signed artifacts. How would I go about
testing what you've done so far? With the code as spread out as it is,
and not having built Maven before, I'm not sure I could properly
assemble all the disparate pieces.
Brett Porter wrote:
On 22/07/2008, at 11:54 PM, Chad La Joie wrote:
Yeah, the code is a bit spread out at the moment. ;) Thanks for the
links though, that helped me find the rest of what I needed.
Looking at the code I have one question. Is the assumption that a
devloper would specifiy the signature-validating key, which will need
to be in their keyring, for each artifact?
At the moment, there is a separate keyring in the Maven installation
(configurable by settings) that you can add and remove keys from, but
any valid signature signed by those keys will be accepted. Getting
access to the right keys easily and safely will be an important part of
making this successful.
I've outlined the initial steps in
http://docs.codehaus.org/display/MAVEN/Repository+Security, and there
are some additional thoughts for later towards the end of the doc.
Cheers,
Brett
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[EMAIL PROTECTED], http://www.switch.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
