问题
I'd like to manually verify the PGP signature on a Maven artifact from Central, but I don't know where to start.
I see on Apache's Guide to uploading artifacts to the Central Repository that it says "we require you to provide PGP signatures for all your artifacts".
And I've seen that Sonatype's Nexus Pro software mentions verifying signatures in a blog post on Nexus Pro features
But I can't find any information on how to get the signatures manually. I'm familiar enough with GPG to perform the actual verification. How do I get a .asc file for an artifact in Central?
回答1:
You can simple download those artifacts (.asc) files and manually check the signature. Maven Central is accessible via http like this:
http://search.maven.org/remotecontent?filepath=com/soebes/smpp/smpp/0.4/smpp-0.4.pom.asc
回答2:
If you want to check all pgp signatures of your project dependency automatically, you can try execute:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
This plugin downloads all signature (.asc) files and needed pgp key to do signature check.
More info about this plugin you can find on site: https://www.simplify4u.org/pgpverify-maven-plugin/
来源:https://stackoverflow.com/questions/10804746/viewing-a-pgp-signature-on-a-maven-artifact