incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Nodet <gno...@apache.org>
Subject Re: [VOTE] Approve the 4.1 release of ActiveMQ's maven plugins
Date Fri, 15 Sep 2006 16:49:08 GMT
Once everything is uploaded,
I scp the whole dir on my host
sign all the jars with a batch
and upload all the asc files ...

Here is the shell script:
#!/bin/sh
MY_KEY="Guillaume Nodet"
echo -n "PGP Key Password: "
read PASSWORD
echo ""
for FILE in $(find . -not '(' -name "*.md5" -or -name "*.sha1" -or -name
"*.asc" -or -name "*-version" -or -name "maven-metadata.xml" ')' -and
-type f -and -user $USER) ; do
  signature=${FILE}.asc
  if [ ! -f ${signature} ]
  then
    echo -n "Creating: ${signature} ... "
    echo "$PASSWORD" | gpg --default-key "$MY_KEY" --detach-sign --armor
--no-tty --yes --passphrase-fd 0 "$FILE" && echo done.
    gpg --verify "$FILE.asc" "$FILE"
  fi
done
echo "Finished!"


The upload can be done with something like
  for i in `find . -name "*.asc"`
  do
    scp $i
people.apache.org:/www/people.apache.org/repo/m2-incubating-repository/org/apache/servicemic/$i
  done

Cheers,
Guillaume Nodet

Hiram Chirino wrote:
> On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com> wrote:
>> On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
>> > On 9/14/06, robert burrell donkin <robertburrelldonkin@gmail.com>
>> wrote:
>> > > On 9/14/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
>>
>> > > remember that you'll need to create signatures before uploading.
>> > >
>> >
>> > AFAIK, projects only sign distributions.
>>
>> true but jars are distributions too. policy applies equally to all
>> distributions
>>
>> > If this was not the case
>> > then every artifact in the maven repo would need to be signed and that
>> > seems like a bit of overkill.
>>
>> the policy is clear - they must be signed. this might seem like
>> overkill until you consider the cost to your personal reputation if an
>> unsigned jar is substituted by malware. signing by release managers is
>> an easy and effective protection which is why infrastructure insists
>> upon it. in the (hopefully unlikely) event of a compromise, it is much
>> easier and quicker for a release manager to verify that the signature
>> is still valid than to recut the release.
>>
>
> Does anybody know if there is a way to get maven to sign every
> artifact that get deployed?  As far as I know that does not exist yet.
>
> I just went though the
> http://people.apache.org/repo/m2-ibiblio-rsync-repository repo  and
> seems there are many jars up with out a asc and hardly anybody signs
> the pom.xml or the maven-metadata.xml files.
>
> Seems the directory project does a really good job of signing all
> thier artifacts.  Any directory project committer lurking about?  How
> do you guys do that?  Do you have any automated scripts to help in
> this department?
>
>> > This is not a distribution but just a
>> > set of jars that our main distribution will depend on.
>>
>> -1
>>
>> every distributed artifact must be signed. jars are distributions.
>> they must be signed.
>>
>
> Understood.. I look into signing those file.
>
>> - robert
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message