feature request - do not fail on missing signatures in the same project / reactor build order #29
Labels
enhancement
New feature or request.
Milestone
Comments
Kortanul
added a commit
to WrenSecurity/wrensec-deploy-tool
that referenced
this issue
Mar 10, 2018
Without a GPG signature being added during a local compile, the build will fail on dependencies within the current reactor because of: s4u/pgpverify-maven-plugin#29
Kortanul
added a commit
to Kortanul/pgpverify-maven-plugin
that referenced
this issue
May 24, 2018
this change adjusts PGP Verify to no longer complain about dependencies that are being built as part of the current multi-module build, in the event that the current build is not being signed. this allows `mvn clean install` to work properly without requiring that every build be signed, as long as the dependencies of all of the projects in the current build (minus the projects currently being built) are signed. the option can be toggled on or off with the new `verifyReactorDependencies` setting on the plug-in, in the event that projects want to require signing for both dependencies AND projects in the current reactor build.
Kortanul
added a commit
to Kortanul/pgpverify-maven-plugin
that referenced
this issue
May 24, 2018
this change adjusts PGP Verify to no longer complain about dependencies that are being built as part of the current multi-module build, in the event that the current build is not being signed. this allows `mvn clean install` to work properly without requiring that every build be signed, as long as the dependencies of all of the projects in the current build (minus the projects currently being built) are signed. the option can be toggled on or off with the new `verifyReactorDependencies` setting on the plug-in, in the event that projects want to require signing for both dependencies AND projects in the current reactor build.
Kortanul
added a commit
to Kortanul/pgpverify-maven-plugin
that referenced
this issue
May 24, 2018
this change adjusts PGP Verify to no longer complain about dependencies that are being built as part of the current multi-module build, in the event that the current build is not being signed. this allows `mvn clean install` to work properly without requiring that every build be signed, as long as the dependencies of all of the projects in the current build (minus the projects currently being built) are signed. the option can be toggled on or off with the new `verifyReactorDependencies` setting on the plug-in, in the event that projects want to require signing for both dependencies AND projects in the current reactor build.
Kortanul
added a commit
to Kortanul/pgpverify-maven-plugin
that referenced
this issue
May 24, 2018
this change adjusts PGP Verify to no longer complain about dependencies that are being built as part of the current multi-module build, in the event that the current build is not being signed. this allows `mvn clean install` to work properly without requiring that every build be signed, as long as the dependencies of all of the projects in the current build (minus the projects currently being built) are signed. the option can be toggled on or off with the new `verifyReactorDependencies` setting on the plug-in, in the event that projects want to require signing for both dependencies AND projects in the current reactor build.
slawekjaranowski
pushed a commit
that referenced
this issue
May 24, 2018
this change adjusts PGP Verify to no longer complain about dependencies that are being built as part of the current multi-module build, in the event that the current build is not being signed. this allows `mvn clean install` to work properly without requiring that every build be signed, as long as the dependencies of all of the projects in the current build (minus the projects currently being built) are signed. the option can be toggled on or off with the new `verifyReactorDependencies` setting on the plug-in, in the event that projects want to require signing for both dependencies AND projects in the current reactor build.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
currently, pgpverify checks signatures on all dependencies, even if those dependencies come from the same project as the one being built. that works well if the project is always signed when it is being built, but that makes local development inconvenient.
here's an example scenario where this is a problem:
in this scenario, running
mvn clean installwill cause a failure upon reaching module C because the locally-installed version of module B is not signed with the same signature as the one in the Maven repository.perhaps there could be an option to disregard dependencies produced by the same multi-module project.
The text was updated successfully, but these errors were encountered: