How can I verify the openPGP signature (or hash) of artifacts against an expected one?

Since it’s possible to sign artifacts with gradle, and since this signature is uploaded together with the artifacts, the POM file, etc. to the Maven repository, how can I tell gradle to verify the artifact’s signature against an expected one?

Ideally I’d like to have something like

compile '[group]:[artifact]:[version]:[base64(expected_pubkey)]'

where expected_pubkey is the public key that is expected to sign the artifact. Ideally with optional support for specifying the hash of the artifact, if it’s a non-changing dependency, and support for tagging a repository as ‘trusted’ so that no verification will be performed when using artifacts from it (e.g. because I build the artifacts there myself).

Is that somehow possible with gradle?

2 Likes

I’ve created MNG-6026 in Mavens issue tracker. See also the releated stackoverflow answer.

https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin can verify PGP signatures and/or checksums for the plugins and dependencies.