<html><head><base href="x-msg://3/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hi Jeff,</div><div><br></div><div>thank you very much for this information and your article! I wasn't aware of this plugin.</div><div><br></div><div>I just changed my build process for Lilith accordingly.</div><div>See <a href="http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f">http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f</a></div><div><br></div><div>I had to jump through some loops, though, since I have gpg2 instead of gpg:</div><div><br></div><div>The following two properties had to be added to my pom:</div><div><div><gpg.useagent>true</gpg.useagent></div><div><gpg.keyname>740A1840</gpg.keyname></div><div><br></div><div>The first one makes sure that gpg isn't complaining about an invalid option (--no-use-agent was removed in gpg2) and doesn't ask for a passphrase anymore.</div><div>This was quite tricky since the documentation of maven-gpg-plugin says that it's called useAgent, which it isn't!</div><div><br></div><div>The second one selects the correct key used for the signature - which is a good idea if you have more than one.</div><div><br></div><div>I wanted to comment on your article but, unfortunately, comments are disabled.</div></div><div><br></div><div>Cheers,</div><div>Joern.</div><br><div><div>On 08.05.2010, at 03:23, Jeff Jensen wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">It is best if the artifacts are signed. Sometime in the near future, Central/Nexus will not accept artifacts without being signed.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">This would prove the source for you more than the hashes.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Ceki: you should start signing the release artifacts. It is very easy - I’ve done it already on a few products and Sonatype has a very good page describing how. Maven will do it automatically for you:<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><a href="http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven" style="color: blue; text-decoration: underline; ">http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven</a><o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; position: static; z-index: auto; "><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:slf4j-user-bounces@qos.ch" style="color: blue; text-decoration: underline; ">slf4j-user-bounces@qos.ch</a><span class="Apple-converted-space"> </span>[mailto:slf4j-user-bounces@qos.ch]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Joern Huxhorn<br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, May 07, 2010 3:50 AM<br><b>To:</b><span class="Apple-converted-space"> </span>User list for the slf4j project<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [slf4j-user] Signatures for verifying Slf4j<o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">One solution could be the use of signed tags for SLF4J and Logback.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">That way it would be possible to pull the git repository, check the signature of the tag and build SLF4J and Logback yourself afterwards.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think the MD5 and SHA1 of Maven repository are merely a way to prevent corrupted files, not an actual security feature.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Cheers,<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Joern.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 07.05.2010, at 09:26, Elisha Ebenezer wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Hi Ceki,<br>I'm trying to push to use Slf4j and logback in our project and my company wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify the integrity of downloaded files.<br> <br>Though<span class="Apple-converted-space"> </span><a href="http://repo1.maven.org/" style="color: blue; text-decoration: underline; ">repo1.maven.org</a><span class="Apple-converted-space"> </span>site provides the hashes, we are not sure whether the war and the hash are uploaded by genuine party or not.<br> <br>As you are the owner of the project, I request you to kindly publish the hashes or certs on website's download page.. which can be cross-checked with the downloaded war and/or also with the maven repository.<br> <br>Kindly do the needful and oblige.<br> <br>Thanks,<br>Elisha Ebenezer. _______________________________________________<br>slf4j-user mailing list<br><a href="mailto:slf4j-user@qos.ch" style="color: blue; text-decoration: underline; ">slf4j-user@qos.ch</a><br><a href="http://qos.ch/mailman/listinfo/slf4j-user" style="color: blue; text-decoration: underline; ">http://qos.ch/mailman/listinfo/slf4j-user</a><o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div>_______________________________________________<br>slf4j-user mailing list<br><a href="mailto:slf4j-user@qos.ch" style="color: blue; text-decoration: underline; ">slf4j-user@qos.ch</a><br><a href="http://qos.ch/mailman/listinfo/slf4j-user" style="color: blue; text-decoration: underline; ">http://qos.ch/mailman/listinfo/slf4j-user</a></div></blockquote></div><br></body></html>