Re: testing pgpverify-maven-plugin

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: testing pgpverify-maven-plugin

Slawomir Jaranowski
Hi Hervé

Thanks for good words about my project.

1. There is already a request for the feature of automatically generating
keys map file [2]
The keys map file format is described with examples at project page [3]
The keys map is similar to java properties with exception about ':'
(colon), in java properties colon separate key and value. Of course every
idea is welcome.


2.  For multi-module maven projects we have to challenge how to share one
resource with all project modules.
I know some ways:
- external project with resources
- special module in project, but in this case we must refactor project
structure like in IT test sigOkKeysMapMultiModule [4]
- we can also use assembly plugin to attach special artifact to project
root module like I did in project pgp-keys-map [5]

[2] https://github.com/s4u/pgpverify-maven-plugin/issues/84
[3] https://www.simplify4u.org/pgpverify-maven-plugin/keysmap-format.html
[4]
https://github.com/s4u/pgpverify-maven-plugin/tree/master/src/it/sigOkKeysMapMultiModule
[5] https://github.com/s4u/pgp-keys-map

śr., 10 mar 2021 o 21:48 Hervé BOUTEMY <[hidden email]> napisał(a):

> Hi Slawomir,
>
> I just tested pgpverify-maven-plugin on maven-artifact-plugin [1].
> I was successful, really nice.
>
> From that experience, I have some questions on the keys map file:
>
> 1. is there a way to ease the creation of the file content?
> currently, I had to copy paste output, check that I trusted the keys
> (which of course can't be automated), and then had to do a lot of
> modifications to match the properties file format. Would it be possible to
> have a default output that matches properties format, so reviewing and
> injecting content would be easier?
>
> 2. I also tested on a multi-module project (like maven-archetype-bundles),
> and I could not configure the plugin to use one single keys map for the
> whole build: creating 1 file per module is really cumbersome.
> Did you imagine a way to share the same map file in a multi-module build?
>
> This plugin is really nice, the hard part is about writing keys map file...
>
> Regards,
>
> Hervé
>
>
> [1]
> https://github.com/apache/maven-artifact-plugin/commit/41df63adaf91f0c481fff9347abb2dbeb7022f5b
>
>
>

--
Sławomir Jaranowski
Reply | Threaded
Open this post in threaded view
|

Re: testing pgpverify-maven-plugin

Andreas Sewe-3
Hi,

> I just tested pgpverify-maven-plugin on maven-artifact-plugin [1].
> I was successful, really nice.

I second that. Highly useful plugin and well-documented, too, which
unfortunately isn't always the case.

I have a few suggestions for improvement, though, which I have added to
the GitHub issue tracker [1]. Hope that helps.

Best wishes,

Andreas Sewe

[1] <https://github.com/s4u/pgpverify-maven-plugin/issues/created_by/sewe>


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: testing pgpverify-maven-plugin

Hervé BOUTEMY
In reply to this post by Slawomir Jaranowski
for multi-modules, I found one setup to stay light = 1 keys list for the whole multi-module project:
          <configuration>
            <keysMapLocation>${maven.multiModuleProjectDirectory}/pgp-keys-map.list</keysMapLocation>
          </configuration>                        
this  maven.multiModuleProjectDirectory property is available since Maven 3.3, then I suppose it should be ok


And on generating keys map file, I found that you already did the vast majority of what I expected: once the keys file is not empty, on missing (or non-matching) key, error message has what I need:
[ERROR] Not allowed artifact junit:junit:jar:4.13 and keyID:
        junit:junit:4.13 = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
        https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xFF6E2C001948C5F2F38B0CC385911F425EC61B51

the second line can simply be copied = what I was looking for

I did not understant that the message when key is ok is not the same:
[INFO] org.hamcrest:hamcrest-core:jar:1.3 PGP Signature OK
       KeyId: 0x4DB1A49729B053CAF015CEE9A6ADFC93EF34893E UserIds: [Tom Denley (scarytom) <[hidden email]>]

I'm sure little enhancements can be done to make messages more clear, but now I see that it works mostly as I want

I'll probably provide PRs later

now, we should IMHO use this plugin in each of our builds...

Regards,

Hervé

Le mercredi 10 mars 2021, 22:44:57 CET Slawomir Jaranowski a écrit :

> Hi Hervé
>
> Thanks for good words about my project.
>
> 1. There is already a request for the feature of automatically generating
> keys map file [2]
> The keys map file format is described with examples at project page [3]
> The keys map is similar to java properties with exception about ':'
> (colon), in java properties colon separate key and value. Of course every
> idea is welcome.
>
>
> 2.  For multi-module maven projects we have to challenge how to share one
> resource with all project modules.
> I know some ways:
> - external project with resources
> - special module in project, but in this case we must refactor project
> structure like in IT test sigOkKeysMapMultiModule [4]
> - we can also use assembly plugin to attach special artifact to project
> root module like I did in project pgp-keys-map [5]
>
> [2] https://github.com/s4u/pgpverify-maven-plugin/issues/84
> [3] https://www.simplify4u.org/pgpverify-maven-plugin/keysmap-format.html
> [4]
> https://github.com/s4u/pgpverify-maven-plugin/tree/master/src/it/sigOkKeysMa
> pMultiModule [5] https://github.com/s4u/pgp-keys-map
>
> śr., 10 mar 2021 o 21:48 Hervé BOUTEMY <[hidden email]> napisał(a):
> > Hi Slawomir,
> >
> > I just tested pgpverify-maven-plugin on maven-artifact-plugin [1].
> > I was successful, really nice.
> >
> > From that experience, I have some questions on the keys map file:
> >
> > 1. is there a way to ease the creation of the file content?
> > currently, I had to copy paste output, check that I trusted the keys
> > (which of course can't be automated), and then had to do a lot of
> > modifications to match the properties file format. Would it be possible to
> > have a default output that matches properties format, so reviewing and
> > injecting content would be easier?
> >
> > 2. I also tested on a multi-module project (like maven-archetype-bundles),
> > and I could not configure the plugin to use one single keys map for the
> > whole build: creating 1 file per module is really cumbersome.
> > Did you imagine a way to share the same map file in a multi-module build?
> >
> > This plugin is really nice, the hard part is about writing keys map
> > file...
> >
> > Regards,
> >
> > Hervé
> >
> >
> > [1]
> > https://github.com/apache/maven-artifact-plugin/commit/41df63adaf91f0c481f
> > ff9347abb2dbeb7022f5b





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]