Maven artifact GPG signing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Maven artifact GPG signing

Andy LoPresto-2
Hi folks,

I am writing to propose updating our release process to include signing artifacts with GPG. Currently we sign the full build (i.e. nifi-x.y.z-source-release.tar.gz) with the GPG key of the release manager, and the corresponding public key is available in our KEYS file, hosted by Apache. My proposal is that we complement this by signing the individual Maven modules as well, so that consuming projects (ourselves included) can verify that the code they are running was what was published. I’ve included a few links below [1][2][3][4][5][6][7] that hopefully answer preliminary questions about the process, but I am happy to have further discussion here as well.

I also volunteer to assist with whoever RMs the next release to ensure the process goes smoothly and we document the necessary steps and update our Release Guide [8].


[1] https://maven.apache.org/plugins/maven-gpg-plugin/usage.html <https://maven.apache.org/plugins/maven-gpg-plugin/usage.html>
[2] https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it <https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it>
[3] http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/ <http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/>
[4] https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/ <https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/>
[5] https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files <https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files>
[6] https://www.simplify4u.org/pgpverify-maven-plugin/ <https://www.simplify4u.org/pgpverify-maven-plugin/>
[7] https://central.sonatype.org/pages/working-with-pgp-signatures.html <https://central.sonatype.org/pages/working-with-pgp-signatures.html>
[8] https://nifi.apache.org/release-guide.html <https://nifi.apache.org/release-guide.html>

 
Andy LoPresto
[hidden email]
[hidden email]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

Reply | Threaded
Open this post in threaded view
|

Re: Maven artifact GPG signing

Kevin Doran-2
Hi Andy,

Thanks for bringing this up and looking into the mechanics of how to
get it working. I am a +1 for signing our maven artifacts.

Thanks,
Kevin

On Wed, May 29, 2019 at 6:09 PM Andy LoPresto <[hidden email]> wrote:

>
> Hi folks,
>
> I am writing to propose updating our release process to include signing artifacts with GPG. Currently we sign the full build (i.e. nifi-x.y.z-source-release.tar.gz) with the GPG key of the release manager, and the corresponding public key is available in our KEYS file, hosted by Apache. My proposal is that we complement this by signing the individual Maven modules as well, so that consuming projects (ourselves included) can verify that the code they are running was what was published. I’ve included a few links below [1][2][3][4][5][6][7] that hopefully answer preliminary questions about the process, but I am happy to have further discussion here as well.
>
> I also volunteer to assist with whoever RMs the next release to ensure the process goes smoothly and we document the necessary steps and update our Release Guide [8].
>
>
> [1] https://maven.apache.org/plugins/maven-gpg-plugin/usage.html <https://maven.apache.org/plugins/maven-gpg-plugin/usage.html>
> [2] https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it <https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it>
> [3] http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/ <http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/>
> [4] https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/ <https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/>
> [5] https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files <https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files>
> [6] https://www.simplify4u.org/pgpverify-maven-plugin/ <https://www.simplify4u.org/pgpverify-maven-plugin/>
> [7] https://central.sonatype.org/pages/working-with-pgp-signatures.html <https://central.sonatype.org/pages/working-with-pgp-signatures.html>
> [8] https://nifi.apache.org/release-guide.html <https://nifi.apache.org/release-guide.html>
>
>
> Andy LoPresto
> [hidden email]
> [hidden email]
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>