community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <>
Subject SHA512 by default for GPG sigs
Date Wed, 18 May 2016 17:45:28 GMT
Hi all,

I'm not sure a better list to get feedback on, but I wanted to bring
attention to the proposal here:

Essentially this is a suggestion to configure the maven-gpg-plugin to sign
using SHA512 as its digest algorithm in the ASF Parent POM, used by many
Maven/Java-based projects within ASF. This configuration takes affect
during software releases when this plugin is activated (typically prior to
a release candidate vote, and staging a release in Nexus for distribution
to Maven Central).

This would only affect the hash algorithm used to generate GPG signatures
for releases, and not any separate SHA/MD hashes published separately by
any project, which can be weaker (SHA1, MD5) for convenience, and don't
convey the strong authenticity statement that digital signatures provide.

For background, gpg uses SHA1 by default, unless the signing key or gpg
configuration has a preference to use another algorithm (as described on

This proposed configuration change wouldn't force the use of SHA512 (it
could still be overridden by a project), but it would make it the default,
which helps improve the security of releases in the case where release
managers have failed to keep their configuration up-to-date with the best
recommendations for using gpg.

Thoughts? +1s? Discuss here or on the JIRA please.

Thank you.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message