You are right, native method from maven does not support verifying of pgp signature.
For pgpverify-maven-plugin you can prepare configuration file which contains mapping artifact gav to pgp key fingerprint. Without this configuration any existing key is good. >From some time I try to collect which key should be used to sign artifact: https://github.com/s4u/pgp-keys-map/blob/master/resources/pgp-keys-map.list pgpverify-maven-plugin search keys on keyserver by default: hkps.pool.sks-keyservers.net Maybe information about signing key should has some place in maven dependency declaration ... but I think is topic for another discussion. Here I only want to show some possibility to protect for situation when owner is changed. sob., 29 lut 2020 o 12:21 Elliotte Rusty Harold <elh...@ibiblio.org> napisał(a): > On Sat, Feb 29, 2020 at 2:55 AM Slawomir Jaranowski > <s.jaranow...@gmail.com> wrote: > > > > Hi, > > > > In maven world all artifacts have pgp signature which is created by > current > > maintainer (from some time pgp signature is required on Maven Central). > > > > You can verify signatures of all your dependencies, you can also track > > which pgp key is used for specific artifact. > > > Do typical invocations of Maven actually do this? That is, if the > signature of a downloaded artifact doesn't match does maven fail the > build? > > If the signature has changed, will Maven fail the build? Or if the > signer has changed? > > If not, is there a switch that can turn this on? > > There is a now well documented third party plugin to do some of this, > but it's not clear exactly how it operates. E.g. how does it find and > verify the right public key with which to verify a signature? > > https://www.simplify4u.org/pgpverify-maven-plugin/ > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > > -- Sławomir Jaranowski
