22 Aug
2011
22 Aug
'11
6:30 p.m.
On 08/15/2011 12:04 PM, Caleb James DeLisle wrote:
On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
The problem with this is that the GPG signing is supposed to happen
during mvn release:perform, which happens on the agent machine.
There are two options:
- temporarily install the personal private key on the server
- release from the local computer
Is there a way to tunnel the GPG signing to the local computer?
On 08/15/2011 11:19 AM, Vincent Massol wrote:
+1
I really don't like the "one key on the release box" idea.
IMO each release manager should sign with their key which ofc never leaves their own
computer.
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
>
>>
>> Thanks
>> -Vincent
>>
>> PS: I we agree I can commit the changes required to our top level POM to
implement this (I have them locally already)
>
> PS2: When's the release user ready on one of the new agents?
>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/