[
https://issues.apache.org/jira/browse/MPOM-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292314#comment-15292314
]
Christopher Tubbs commented on MPOM-118:
----------------------------------------
Possibly. Or, maybe adding some sort of signature-verification mojo to run
after the gpg:sign mojo. That idea might be related to MGPG-54, and is probably
worth pursuing, but this is issue is just about the parent pom configuration
given the current capabilities of the plugin.
> Enforce strong GPG signatures by default
> ----------------------------------------
>
> Key: MPOM-118
> URL: https://issues.apache.org/jira/browse/MPOM-118
> Project: Maven POMs
> Issue Type: Improvement
> Components: asf
> Affects Versions: ASF-17
> Reporter: Christopher Tubbs
>
> maven-gpg-plugin configuration could be improved a bit so that ASF releases
> are not weakened by a user's weak personal configuration.
> I suggest adding something like the following to maven-gpg-plugin's
> configuration in the pluginManagement section:
> {code:xml}
> <gpgArguments combine.children="append">
> <arg>--digest-algo=SHA512</arg>
> </gpgArguments>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
