[ https://issues.apache.org/jira/browse/MPOM-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298778#comment-15298778 ]
Christopher Tubbs commented on MPOM-118: ---------------------------------------- Updating the ~/.gnupg/gpg.conf is great, but it (mostly) only affects new keys you create with that config. These preferences are actually saved inside your "key", so that they are "sticky". The command-line option overrides your personal key's preferences. However, you can also edit existing keys to prefer newer algorithms (if, as in your case, you're using a key which was created with a different configuration). To update these preferences for an existing key (for when you don't specify the command-line option), there are instructions here: https://www.apache.org/dev/openpgp#key-prefs > Enforce strong GPG signatures by default > ---------------------------------------- > > Key: MPOM-118 > URL: https://issues.apache.org/jira/browse/MPOM-118 > Project: Maven POMs > Issue Type: Improvement > Components: asf > Affects Versions: ASF-17 > Reporter: Christopher Tubbs > > maven-gpg-plugin configuration could be improved a bit so that ASF releases > are not weakened by a user's weak personal configuration. > I suggest adding something like the following to maven-gpg-plugin's > configuration in the pluginManagement section: > {code:xml} > <gpgArguments combine.children="append"> > <arg>--digest-algo=SHA512</arg> > </gpgArguments> > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)