[ https://issues.apache.org/jira/browse/MPOM-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292314#comment-15292314 ]
Christopher Tubbs commented on MPOM-118: ---------------------------------------- Possibly. Or, maybe adding some sort of signature-verification mojo to run after the gpg:sign mojo. That idea might be related to MGPG-54, and is probably worth pursuing, but this is issue is just about the parent pom configuration given the current capabilities of the plugin. > Enforce strong GPG signatures by default > ---------------------------------------- > > Key: MPOM-118 > URL: https://issues.apache.org/jira/browse/MPOM-118 > Project: Maven POMs > Issue Type: Improvement > Components: asf > Affects Versions: ASF-17 > Reporter: Christopher Tubbs > > maven-gpg-plugin configuration could be improved a bit so that ASF releases > are not weakened by a user's weak personal configuration. > I suggest adding something like the following to maven-gpg-plugin's > configuration in the pluginManagement section: > {code:xml} > <gpgArguments combine.children="append"> > <arg>--digest-algo=SHA512</arg> > </gpgArguments> > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)