[
https://issues.apache.org/jira/browse/MPOM-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298778#comment-15298778
]
Christopher Tubbs commented on MPOM-118:
----------------------------------------
Updating the ~/.gnupg/gpg.conf is great, but it (mostly) only affects new keys
you create with that config.
These preferences are actually saved inside your "key", so that they are
"sticky". The command-line option overrides your personal key's preferences.
However, you can also edit existing keys to prefer newer algorithms (if, as in
your case, you're using a key which was created with a different
configuration). To update these preferences for an existing key (for when you
don't specify the command-line option), there are instructions here:
https://www.apache.org/dev/openpgp#key-prefs
> Enforce strong GPG signatures by default
> ----------------------------------------
>
> Key: MPOM-118
> URL: https://issues.apache.org/jira/browse/MPOM-118
> Project: Maven POMs
> Issue Type: Improvement
> Components: asf
> Affects Versions: ASF-17
> Reporter: Christopher Tubbs
>
> maven-gpg-plugin configuration could be improved a bit so that ASF releases
> are not weakened by a user's weak personal configuration.
> I suggest adding something like the following to maven-gpg-plugin's
> configuration in the pluginManagement section:
> {code:xml}
> <gpgArguments combine.children="append">
> <arg>--digest-algo=SHA512</arg>
> </gpgArguments>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
