Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-7776

don't fingerprint Sigstore signatures (like GPG)

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.9.1, 4.0.0-alpha-5
    • 3.9.2, 4.0.0-alpha-7, 4.0.0
    • None
    • None

    Description

      Maven repository format requires .md5 and .sha1 fingerprints/checksums for every artifact: https://maven.apache.org/repository/layout.html

      .GPG signature (.asc) is not considered as an artifact, and it does not require these fingerprints

      While working on Sigstore support in addition to GPG, the same should be done for Sigstore signatures: no fingerprint for .sigstore files (like no GPG signature for Sigstore signature: see MGPG-86)

      Attachments

        Issue Links

          is fixed by

          Dependency upgrade - Upgrading a dependency to a newer version MNG-7769 Upgrade to Maven Resolver 1.9.10

          • Major - Major loss of function.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. MGPG-95 don't GPG-sign .sigstore signatures

          • Major - Major loss of function.
          • Closed
          requires

          Improvement - An improvement or enhancement to an existing feature or task. MRESOLVER-360 disable checksum by default for .sigstore in addition to .asc

          • Major - Major loss of function.
          • Closed

          Activity

            People

              hboutemy Herve Boutemy
              hboutemy Herve Boutemy
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: