[jira] [Commented] (MPOM-118) Enforce strong GPG signatures by default

Tue, 24 May 2016 10:58:45 -0700 

    [ 
https://issues.apache.org/jira/browse/MPOM-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298619#comment-15298619
 ] 

Hervé Boutemy commented on MPOM-118:
------------------------------------

ok, I'm really not an expert and not fluent on this topic, then I just did 
tests:
{{gpg --verbose --verify file.asc file}}
shows me
{noformat}gpg: armor header: Version: GnuPG v1
gpg: Signature made Tue May 24 19:34:44 2016 CEST using DSA key ID ........
gpg: using PGP trust model
gpg: Good signature from "Herve Boutemy <hbout...@apache.org>"
gpg: binary signature, digest algorithm SHA1{noformat}
ok, now I see the digest used

then I tested signing with the new option: {{gpg --digest-algo=SHA512 
--use-agent --armor --detach-sign --output file.asc file}}
then verified the result: SHA1 is now SHA512 as expected, without changing 
anything on my private key: that's what I needed to check (ie it does not add 
any new expectation on my key)

notice I added configuration for SHA512 as proposed in dev guidelines, then 
added 3 lines at the beginning of my ~/.gnupg/gpg.conf
{noformat}personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 
ZLIB BZIP2 ZIP Uncompressed{noformat}

but it did not change the digest used by default: did I do something wrong?

at least, now, I'm confident to add the configuration in pom.xml: this won't 
cause harm to anybody and will just improve the result

> Enforce strong GPG signatures by default
> ----------------------------------------
>
>                 Key: MPOM-118
>                 URL: https://issues.apache.org/jira/browse/MPOM-118
>             Project: Maven POMs
>          Issue Type: Improvement
>          Components: asf
>    Affects Versions: ASF-17
>            Reporter: Christopher Tubbs
>
> maven-gpg-plugin configuration could be improved a bit so that ASF releases 
> are not weakened by a user's weak personal configuration.
> I suggest adding something like the following to maven-gpg-plugin's 
> configuration in the pluginManagement section:
> {code:xml}
> <gpgArguments combine.children="append">
>   <arg>--digest-algo=SHA512</arg>
> </gpgArguments>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to