You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Improve support for how already-PGP-signed artifacts are handled to
support skip, replace, or merge.
Use SignedContentFactory for checking jar signatures which allows for
skipping jars that are only signed by certificates anchored in Java's
cacerts.
Support PGP signing features, and optionally also binary artifacts.
Support using Bouncy Castle for signing to improve performance and to
allow signing to be done in parallel. This also better support
providing integration tests for the various sign-p2-artifacts mojo's
options.
Ensure that only keys actually used by signatures are added to the
repository and/or artifact properties. Determining the default key is
needed only when signing with Bouncy Castle, in which case it's
determined by signing a document and checking which key is used; that's
because the default key can be specified in the gpg.conf so just
listing the secret key fingerprints will not always correctly identify
the correct default.
For testing purposes, support generating key information and loading it.
Use that to provide integration tests for the new options as well as for
existing options.
#1466
In general it would be good if the maven-pgp-plugin would offer an extension point where Tycho can plug in to get notified and can offer additional artifacts to be signed. The it would even make sense to implement BC part there also so even maven users can benfit from BC implementation of PGP signing...
A lot of parameters documented in tycho-gpg:sign-p2-artifacts are inherited from gpg-maven-plugin: https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html#optional-parameters. All those are currently not evaluated by BC (added in #1720) but only by GPG. This should be clarified in the documentation.
There are also some problems with inheriting from Mojos in another artifact (as outlined in apache/maven-plugin-tools#167 (comment)). Probably the best would be to no longer inherit from https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html but just delegate to it and duplicate all relevant parameters (and clarify in the description how they are evaluated with BC).
The text was updated successfully, but these errors were encountered: