This is a FAQ for the maven repo PGP signature checker.
questions and answers
- Q: What's a FAQ ?
A: A FAQ is a list of Frequently Asked Questions (and answers) ; see FAQ on wikipedia.
- Q: What does the checker do ?
A: The checker looks in the maven repo at artifacts that are less than four weeks old ;
it checks that a PGP signature (.asc) exists and, if so, verifies it.
- Q: Which artifacts must be signed ?
A: All the .jar, .pom, .tar.gz and .zip files.
- Q: Public key not found ? Where does the checker look for keys ?
A: The checker looks for keys in /www/people.apache.org/keys/committer/
- If your key is missing, you should add your public pgp key using id.apache.org
- Also, make your public pgp key available in file .pgpkey in your home directory /home/your-username/
on people.apache.org ; make sure the checker can read it : chmod +r .pgpkey
- Look at /home/henkp/.pgpkey for an example.
- Never, never store your private pgp key on people.apache.org
- Q: How often is the repo checked ?
A: Twice a day.
- Q: Where does it say repo artifacts have to be signed ?
A: See the ASF policy on release signing.
- Q: How do I provide PGP signatures ?
A: Use a release profile that includes the pgp plugin. The one used for maven components is discussed in Releasing A Maven Project ;
for geronimo see geronimo-server-release-process. There are plenty of other examples at apache. [Thanks to David Jencks for providing this answer]
- Q: How can a package and/or signature be BAD ?
A: The combination of a file XXX and a signature file XXX.asc is BAD ifgpg --verify XXX.asc XXXsays it is a bad signature ; XXX and XXX.asc don't belong together.
- For the repo a bad signature is reason for concern, and should be investigated,
especially if XXX and XXX.asc did belong together in the past.
- Perhaps someone maliciously changed file XXX.
- Sometimes we have, indeed, a bad signature, but we may also have a bad file.
A bad signature should be investigated and fixed as soon as possible.
- Clement Escoffier <clement.escoffier.at.gmail.com> writes:The bad signatures come from a maven issue. When launched with mvn gpg:sign the plug-in generates a bad signature for the first artifact (in fact, it seems it generates a valid key only for the last one). To turn around this issue, you need to add the following configuration in your pom file: <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <executions> <execution> <id>sign-artifacts</id> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> In this case, the signature seems valid.