ant-ivy-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gilles Scokart <>
Subject Re: Professional Repository - Artifact Verification
Date Fri, 17 Apr 2009 07:43:21 GMT
Ivy indeed doesn't handle signature validation.  The "validation" is
currently limited to checksums.

Gilles Scokart

2009/4/15 Ray Racine <>

> Trying to understand the Ivy way of setting up
> internal/shared/professional/enterprise repositories.
> I've looked through the Best Practices, examples etc. and the one thing I
> keep looking for is the verification aspect.  Its one of those things "you
> know it has to be there somewhere" but I can't find it.  Let's say I want
> to
> create an internal repository and as part of the process verify the jars
> using PGP, MD5 or SHA-1 sigs.   Is this something supported by Ivy or are
> there other Ant tasks and scripts everyone is using that support this?
> Right now the best I can come up with would be something like this.
>  - Create a local Stage Repository and populate it from public (Maven et
> al)
> repos via an Ant script with itemized Install tasks for each artifact.
>  - Manually obtain sigs or keys from a non-mirror and verify a jar
> one-by-one.
>  - Use another Ant script to move via an Install task a verified jar into
> MyEnterpriseRepo.
>  - Then to avoid all this manual work, start building a tedious set of Ant
> scripts to fetch KEYS etc via fetch tasks and verify all Stage Repo.
> artifacts etc...
> What I've been searching for is some settings capability where for each
> artifact I can tell Ivy the expect PGP or SHA-1 and avoid the Stage
> Repository, in other words, Ivy will refuse to install an artifact info
> MyEnterpriseRepo which fails to verify.
> How is everyone dealing with the verification aspect??
> Thanks,
> Ray

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message