nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Maven artifact GPG signing
Date Wed, 29 May 2019 18:27:12 GMT
Hi folks,

I am writing to propose updating our release process to include signing artifacts with GPG.
Currently we sign the full build (i.e. nifi-x.y.z-source-release.tar.gz) with the GPG key
of the release manager, and the corresponding public key is available in our KEYS file, hosted
by Apache. My proposal is that we complement this by signing the individual Maven modules
as well, so that consuming projects (ourselves included) can verify that the code they are
running was what was published. I’ve included a few links below [1][2][3][4][5][6][7] that
hopefully answer preliminary questions about the process, but I am happy to have further discussion
here as well. 

I also volunteer to assist with whoever RMs the next release to ensure the process goes smoothly
and we document the necessary steps and update our Release Guide [8]. 


[1] https://maven.apache.org/plugins/maven-gpg-plugin/usage.html <https://maven.apache.org/plugins/maven-gpg-plugin/usage.html>
[2] https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it
<https://github.com/sevntu-checkstyle/dsm-maven-plugin/wiki/How-to-config-GPG-and-sign-artifact-with-it>
[3] http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/ <http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/>
[4] https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/ <https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/>
[5] https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files
<https://stackoverflow.com/questions/6565084/maven-verify-signatures-of-downloaded-pom-jar-files>
[6] https://www.simplify4u.org/pgpverify-maven-plugin/ <https://www.simplify4u.org/pgpverify-maven-plugin/>
[7] https://central.sonatype.org/pages/working-with-pgp-signatures.html <https://central.sonatype.org/pages/working-with-pgp-signatures.html>
[8] https://nifi.apache.org/release-guide.html <https://nifi.apache.org/release-guide.html>

 
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message