How can I verify the openPGP signature (or hash) of artifacts against an expected one?

(Florian Schmaus) #1

Since it’s possible to sign artifacts with gradle, and since this signature is uploaded together with the artifacts, the POM file, etc. to the Maven repository, how can I tell gradle to verify the artifact’s signature against an expected one?

Ideally I’d like to have something like

compile '[group]:[artifact]:[version]:[base64(expected_pubkey)]'

where expected_pubkey is the public key that is expected to sign the artifact. Ideally with optional support for specifying the hash of the artifact, if it’s a non-changing dependency, and support for tagging a repository as ‘trusted’ so that no verification will be performed when using artifacts from it (e.g. because I build the artifacts there myself).

Is that somehow possible with gradle?

(Florian Schmaus) #2

I’ve created MNG-6026 in Mavens issue tracker. See also the releated stackoverflow answer.