[Hawkular-dev] Proposal: Add PGP artifact signing
Peter Palaga
ppalaga at redhat.com
Mon Mar 30 09:58:58 EDT 2015
Hi *,
I propose to add maven-gpg-plugin to the release profile, similarly as I
did for javadoc and sources in
https://github.com/hawkular/hawkular-parent-pom/commit/d54a8d03b4ef251d594f1cc4ff3fadfa4a1d4dd3#diff-600376dffeb79835ede4a0b285078036R630
A pom.xml snippet is in https://issues.jboss.org/browse/HAWKULAR-108
== Why?
Because Maven Central requires it [1]. Although apparently, they already
have accepted our unsigned artifacts already.
I would not let our CI to sign the SNAPSHOT releases.
== So what is the problem?
The team members doing releases would have to
* install native OS-level gpg software
* generate a key pair
* publish their public key
See [2]
Is the above acceptable?
Thanks,
Peter
[1]
http://maven.apache.org/guides/mini/guide-central-repository-upload.html#PGP_Signature
[2]
http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven
More information about the hawkular-dev
mailing list