[ https://issues.apache.org/jira/browse/MNG-7776?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Herve Boutemy updated MNG-7776: ------------------------------- Fix Version/s: 4.0.0-alpha-6 4.0.0 > don't fingerprint Sigstore signatures (like GPG) > ------------------------------------------------ > > Key: MNG-7776 > URL: https://issues.apache.org/jira/browse/MNG-7776 > Project: Maven > Issue Type: Improvement > Affects Versions: 3.9.1, 4.0.0-alpha-5 > Reporter: Herve Boutemy > Assignee: Herve Boutemy > Priority: Major > Fix For: 3.9.2, 4.0.0-alpha-6, 4.0.0 > > > Maven repository format requires .md5 and .sha1 fingerprints/checksums for > every artifact: https://maven.apache.org/repository/layout.html > .GPG signature (.asc) is not considered as an artifact, and it does not > require these fingerprints > While working on Sigstore support in addition to GPG, the same should be done > for Sigstore signatures: no fingerprint for .sigstore files (like no GPG > signature for Sigstore signature: see MGPG-86) -- This message was sent by Atlassian Jira (v8.20.10#820010)