Fork me on GitHub
Built by Maven

pgp-signature-check:pgp-signature-check

Full name:

com.github.exabrial:pgp-signature-check-plugin:1.0.3:pgp-signature-check

Description:

This goal will download the asc signatures for artifacts in the build and verify their integrity.

Attributes:

  • Requires a Maven project to be executed.
  • Requires dependency resolution of artifacts in scope: test.
  • Since version: 1.0.0.
  • Binds by default to the lifecycle phase: process-resources.

Optional Parameters

Name Type Since Description
<checkPomSignatures> boolean 1.0.0 Indicates whether pom file (project artifact) signatures should be checked as well.
Default value is: true.
<gpgExecutable> String 1.0.0 The fully qualified path to the gpg executable. If not specified, the plugin will perform a which/where.exe lookup
<keyCacheDirectory> String 1.0.0 The fully qualified path to the directory where pgp keys will be cached. The plugin will not automatically create this directory if it doesn't exist.
Default value is: ~/.m2/artifactPubKeys.
<keyMapFileName> String 1.0.0 The fully qualified path of the file used to pin artifacts to pgp keys. The format is:

groupId:artifactId:version=0xPGPKeyFingerprint (16-40 hex chars)

So for bouncycastle, that'd look like:

org.bouncycastle:*:*=0x08F0AAB4D0C1A4BDDE340765B341DDB020FCB6AB

Wildcards are allowed. All lines are trimmed. Comments begin the # [hash] character.

To skip a particular artifact, set the value to: `skip-signature-check`

groupId:artifactId:version=skip-signature-check
Default value is: ${project.basedir}/artifact-key-map.txt.

Parameter Details

<checkPomSignatures>

Indicates whether pom file (project artifact) signatures should be checked as well.
  • Type: boolean
  • Since: 1.0.0
  • Required: No
  • Default: true

<gpgExecutable>

The fully qualified path to the gpg executable. If not specified, the plugin will perform a which/where.exe lookup
  • Type: java.lang.String
  • Since: 1.0.0
  • Required: No

<keyCacheDirectory>

The fully qualified path to the directory where pgp keys will be cached. The plugin will not automatically create this directory if it doesn't exist.
  • Type: java.lang.String
  • Since: 1.0.0
  • Required: No
  • Default: ~/.m2/artifactPubKeys

<keyMapFileName>

The fully qualified path of the file used to pin artifacts to pgp keys. The format is:

groupId:artifactId:version=0xPGPKeyFingerprint (16-40 hex chars)

So for bouncycastle, that'd look like:

org.bouncycastle:*:*=0x08F0AAB4D0C1A4BDDE340765B341DDB020FCB6AB

Wildcards are allowed. All lines are trimmed. Comments begin the # [hash] character.

To skip a particular artifact, set the value to: `skip-signature-check`

groupId:artifactId:version=skip-signature-check
  • Type: java.lang.String
  • Since: 1.0.0
  • Required: No
  • Default: ${project.basedir}/artifact-key-map.txt