[
https://issues.apache.org/jira/browse/MRESOLVER-301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17818994#comment-17818994
]
ASF GitHub Bot commented on MRESOLVER-301:
------------------------------------------
cstamas commented on PR #432:
URL: https://github.com/apache/maven-resolver/pull/432#issuecomment-1955093864
Also, "artifact generator" is one thing, and its use for "signing" is
another.
If we remain at "publishing to Central" domain, where PGP signature is
enforced, and signing, I am not satisfied with any of existing solutions:
* maven-sign-plugin uses gpg executable
* takari-sign-plugin cannot do ED25519 (but have cool ideas)
* s4u sign plugin unused in ASF (but have cool ideas)
So I just "brought" the best of all here. At least, that was my intent. And
yes, IMO, "signing" is natural fit for "artifact generator" and IMO we should
not complicate our build/POMs for something that _is an expected requirement_
(is like we'd need to add a plugin to POM to create checksums, something also
required to publish to Central).
Also, "signer" is extensible, so it does not have to get GnuPG, it could be
something else as well... so in this way, it is _not in Maven Core_ (wired in),
but can progress and change, maybe as an extension.
> Artifact Generators
> -------------------
>
> Key: MRESOLVER-301
> URL: https://issues.apache.org/jira/browse/MRESOLVER-301
> Project: Maven Resolver
> Issue Type: New Feature
> Components: Resolver
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 2.0.0
>
>
> Resolver should provide extension point for "generators". Typical use case
> for these are for example "signing" of artifacts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
