[ https://issues.apache.org/jira/browse/MPOM-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298619#comment-15298619 ]
Hervé Boutemy commented on MPOM-118: ------------------------------------ ok, I'm really not an expert and not fluent on this topic, then I just did tests: {{gpg --verbose --verify file.asc file}} shows me {noformat}gpg: armor header: Version: GnuPG v1 gpg: Signature made Tue May 24 19:34:44 2016 CEST using DSA key ID ........ gpg: using PGP trust model gpg: Good signature from "Herve Boutemy <hbout...@apache.org>" gpg: binary signature, digest algorithm SHA1{noformat} ok, now I see the digest used then I tested signing with the new option: {{gpg --digest-algo=SHA512 --use-agent --armor --detach-sign --output file.asc file}} then verified the result: SHA1 is now SHA512 as expected, without changing anything on my private key: that's what I needed to check (ie it does not add any new expectation on my key) notice I added configuration for SHA512 as proposed in dev guidelines, then added 3 lines at the beginning of my ~/.gnupg/gpg.conf {noformat}personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed{noformat} but it did not change the digest used by default: did I do something wrong? at least, now, I'm confident to add the configuration in pom.xml: this won't cause harm to anybody and will just improve the result > Enforce strong GPG signatures by default > ---------------------------------------- > > Key: MPOM-118 > URL: https://issues.apache.org/jira/browse/MPOM-118 > Project: Maven POMs > Issue Type: Improvement > Components: asf > Affects Versions: ASF-17 > Reporter: Christopher Tubbs > > maven-gpg-plugin configuration could be improved a bit so that ASF releases > are not weakened by a user's weak personal configuration. > I suggest adding something like the following to maven-gpg-plugin's > configuration in the pluginManagement section: > {code:xml} > <gpgArguments combine.children="append"> > <arg>--digest-algo=SHA512</arg> > </gpgArguments> > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)