Y
Hacker News
new
|
ask
|
show
|
jobs
by
jermo
4145 days ago
Releases have to be PGP signed, snapshot's don't.
How many people do you know that verify PGP signatures of their artifacts? Do you?
1 comments
teacup50
4144 days ago
Yes, we verify signatures at our middleware repository cache.
link
pron
4144 days ago
Really? Impressive! Where do you get the public keys? Most projects hosted on Maven Central don't publish them on their website.
link
teacup50
4143 days ago
http://blog.sonatype.com/2009/04/nexus-133-introduces-automa...
link
pron
4143 days ago
But unless the signers have a public certificate, or publish their public keys on their website (which you need to obtain manually), the signatures on Maven Central can be just as fake as the artifacts.
link