Daniel Kulp wrote:
This is just a warning that the Maven team has just discovered an interaction problem between Maven 2.1 and the maven-gpg-plugin that CAN result in the signatures for the installed/deployed poms being invalid. Signatures for the other artifacts (jars, wars, etc..) are unaffected and not all poms are affected.
I guess you mean the new VersionExpressionTransformation that has been added for MNG-3057 and resolves version properties on-the-fly in the POM during installation?
Thus, at this point, it's advisable to either use Maven 2.0.10 for releases or verify, check, and resign any affected poms.
I just re-checked and the POM for maven-shade-plugin:1.2.1 that I released not long ago with Maven 2.1.0 suffers from this. What's the process of fixing the signature on central?
The Maven team is aware of the situation and is working on a fix.
A corresponding JIRA is still outstanding, likely due to unclear target project, right? Possibly something we want to consider for inclusion in 2.2?
Benjamin --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
