You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Multiple signatures? (e.g. let GitHub upload the artifacts first, keep Maven repository open, and allow the developer to attach OAuth-based signatures)
It should probably come as a new plugin io.github.vlsi.sigstore-sign
Signature format? Should it be minisign? Should it be X.509? (extra x.509 per file might increase repository size and it would require adding all the checksums on top of .sig because Nexus requires .asc and .sha for all the uploaded files)
Verification:
Should it be combined with the existing checksum-dependency plugin? It looks like there's feature overlap, however, bouncy castle might sound like an unwanted dependency.
The text was updated successfully, but these errors were encountered:
Signing:
io.github.vlsi.sigstore-signTODO:
.sigfile for every existing artifact?Design doc (just ask if you want edit): https://docs.google.com/document/d/1bJyHOdeK4WC4yuXvDgmvdAIwEG146q2fFkxMjfCbc-0/edit?usp=sharing
.sigbecause Nexus requires.ascand.shafor all the uploaded files)Verification:
checksum-dependencyplugin? It looks like there's feature overlap, however, bouncy castle might sound like an unwanted dependency.The text was updated successfully, but these errors were encountered: