The signature plugin I was working on earlier in the week is based on the BouncyCastle OpenPGP api. I'm since convinced that there are allot of headaches in this approach.
1.) Gpg stores its private/public keys in a separate file format than most of these OpenPGP java implementations use them. If most people are using/generating their keys in GPG this is a usability issue that creates headaches for them.
2.) Cross Verifying signatures between Gpg, BouncyCastle and Cryptix was very disturbing, depending on the algorithm used to generate the key there was allot of failure.
So, at this point I've come to the conclusion that these OpenPgp java packages are a little too bleeding edge for this. I've settled on calling Gpg directly using ant exec tasks for the time being.
maven.gpg.exec=/usr/bin/gpg
<goal name="gpg:sign">
<ant:exec executable="${maven.gpg.exec}">
<ant:arg value="-sb ${file}"/>
</ant:exec>
</goal>called by %maven gpg:sign -Dfile="foo.jar"
<goal name="gpg:verify">
<ant:exec executable="${maven.gpg.exec}">
<ant:arg value="--verify ${signature} ${file}"/>
</ant:exec>
</goal>called by %maven gpg:verify -Dsignature="foo.jar.gpg" -Dfile="foo.jar"
ultimately a very trivial wrapper can be written that accepts any gpg argument:
<goal name="gpg:exec">
<ant:exec executable="${maven.gpg.exec}">
<ant:arg value="${arg}"/>
</ant:exec>
</goal>called by %maven gpg:exec -Darg="-sb foo.jar" called by %maven gpg:exec -Darg="--verify foo.jar.gpg foo.jar"
This will allow the user to work with gpg on windows or *nix and by configuring these parameters in maven, set it up to work on their system. They use the same commands to exec gpg through maven/ant as on the command line. Not very brilliant, but I guess it really doesn't need to be.
I'll be authoring up a plugin that will have this stuff in it, but for now, you could just drop the above into your maven.xml/build.properties.
-Mark
Stephen McConnell wrote:
Hi Mark:
I finally have gpg installed on my windows box and able to sign jars - and now I want to tie this into the build process I'm using for the Merlin project. What's the status of your plugin?
Cheers, Steve.
-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
