Once everything is uploaded, I scp the whole dir on my host sign all the jars with a batch and upload all the asc files ...
Here is the shell script: #!/bin/sh MY_KEY="Guillaume Nodet" echo -n "PGP Key Password: " read PASSWORD echo "" for FILE in $(find . -not '(' -name "*.md5" -or -name "*.sha1" -or -name "*.asc" -or -name "*-version" -or -name "maven-metadata.xml" ')' -and -type f -and -user $USER) ; do signature=${FILE}.asc if [ ! -f ${signature} ] then echo -n "Creating: ${signature} ... " echo "$PASSWORD" | gpg --default-key "$MY_KEY" --detach-sign --armor --no-tty --yes --passphrase-fd 0 "$FILE" && echo done. gpg --verify "$FILE.asc" "$FILE" fi done echo "Finished!" The upload can be done with something like for i in `find . -name "*.asc"` do scp $i people.apache.org:/www/people.apache.org/repo/m2-incubating-repository/org/apache/servicemic/$i done Cheers, Guillaume Nodet Hiram Chirino wrote: > On 9/14/06, robert burrell donkin <[EMAIL PROTECTED]> wrote: >> On 9/14/06, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> > On 9/14/06, robert burrell donkin <[EMAIL PROTECTED]> >> wrote: >> > > On 9/14/06, Hiram Chirino <[EMAIL PROTECTED]> wrote: >> >> > > remember that you'll need to create signatures before uploading. >> > > >> > >> > AFAIK, projects only sign distributions. >> >> true but jars are distributions too. policy applies equally to all >> distributions >> >> > If this was not the case >> > then every artifact in the maven repo would need to be signed and that >> > seems like a bit of overkill. >> >> the policy is clear - they must be signed. this might seem like >> overkill until you consider the cost to your personal reputation if an >> unsigned jar is substituted by malware. signing by release managers is >> an easy and effective protection which is why infrastructure insists >> upon it. in the (hopefully unlikely) event of a compromise, it is much >> easier and quicker for a release manager to verify that the signature >> is still valid than to recut the release. >> > > Does anybody know if there is a way to get maven to sign every > artifact that get deployed? As far as I know that does not exist yet. > > I just went though the > http://people.apache.org/repo/m2-ibiblio-rsync-repository repo and > seems there are many jars up with out a asc and hardly anybody signs > the pom.xml or the maven-metadata.xml files. > > Seems the directory project does a really good job of signing all > thier artifacts. Any directory project committer lurking about? How > do you guys do that? Do you have any automated scripts to help in > this department? > >> > This is not a distribution but just a >> > set of jars that our main distribution will depend on. >> >> -1 >> >> every distributed artifact must be signed. jars are distributions. >> they must be signed. >> > > Understood.. I look into signing those file. > >> - robert >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]