> There is no good solution here. Really. sure - I understand that. All I am trying to think of is something as secure as your proposal, but less intrusive to the user. Or at least a decent way to aid them with tools.
Really, I've been in favour of using bouncycastle and PGP for a long time, so I guess the time has come to finally bite down and implement it. > Or team's security person doesnt believe in anything > other than clean build code, tagged CVS releases, with personal > signing. That's actually not too bad as they publish all that built stuff to the company repository and don't have to do any of this :) > The only reason I can get away with coding the maven lib > support is that he is away right now... :) > The best source of keys (both SHA1 and MD5) will be the PGP signed > announcements of releases. That puts PGP at the base of the trust > chain. but we cant automated PGP checks without bouncycastle on the > path. I realise this is not something that can be OOTB with Ant, but I'm sure security conscious folks would be happy to add it. For Maven, I definitely want to go down this path so we can make signing the release part of the deployment process too. Anyway, I'll let the list know if I or someone else in the team finally get to the point of moving on it. - Brett
