[slf4j-user] Signatures for verifying Slf4j

Ceki Gülcü ceki at qos.ch
Wed May 12 11:14:15 CEST 2010 

Hello Elisha,

I can't immediately add signatures to our jars. However, please enter
a bug report and I'll look into it.

On 12/05/2010 10:03 AM, Elisha Ebenezer wrote:
> Hi Ceki,
> Can you please provide us an update on when can we expect the
> slf4j (and logback) shipped as signed jars. And also, please consider
> publishing md5/sha1 checksums on your site.
> This would help us to push for using slf4j in security-conscious
> organizations.
> Thanks,
> Elisha Ebenezer
>
> On Sat, May 8, 2010 at 8:44 PM, Joern Huxhorn <jhuxhorn at googlemail.com
> <mailto:jhuxhorn at googlemail.com>> wrote:
>
>     Hi Jeff,
>
>     thank you very much for this information and your article! I wasn't
>     aware of this plugin.
>
>     I just changed my build process for Lilith accordingly.
>     See
>     http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f
>
>     I had to jump through some loops, though, since I have gpg2 instead
>     of gpg:
>
>     The following two properties had to be added to my pom:
>     <gpg.useagent>true</gpg.useagent>
>     <gpg.keyname>740A1840</gpg.keyname>
>
>     The first one makes sure that gpg isn't complaining about an invalid
>     option (--no-use-agent was removed in gpg2) and doesn't ask for a
>     passphrase anymore.
>     This was quite tricky since the documentation of maven-gpg-plugin
>     says that it's called useAgent, which it isn't!
>
>     The second one selects the correct key used for the signature -
>     which is a good idea if you have more than one.
>
>     I wanted to comment on your article but, unfortunately, comments are
>     disabled.
>
>     Cheers,
>     Joern.
>
>     On 08.05.2010, at 03:23, Jeff Jensen wrote:
>
>>     It is best if the artifacts are signed.  Sometime in the near
>>     future, Central/Nexus will not accept artifacts without being signed.
>>     This would prove the source for you more than the hashes.
>>     Ceki: you should start signing the release artifacts.  It is very
>>     easy - I’ve done it already on a few products and Sonatype has a
>>     very good page describing how.  Maven will do it automatically for
>>     you:
>>     http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven
>>     *From:* slf4j-user-bounces at qos.ch
>>     <mailto:slf4j-user-bounces at qos.ch>
>>     [mailto:slf4j-user-bounces at qos.ch
>>     <mailto:slf4j-user-bounces at qos.ch>] *On Behalf Of *Joern Huxhorn
>>     *Sent:* Friday, May 07, 2010 3:50 AM
>>     *To:* User list for the slf4j project
>>     *Subject:* Re: [slf4j-user] Signatures for verifying Slf4j
>>     One solution could be the use of signed tags for SLF4J and Logback.
>>     That way it would be possible to pull the git repository, check
>>     the signature of the tag and build SLF4J and Logback yourself
>>     afterwards.
>>     I think the MD5 and SHA1 of Maven repository are merely a way to
>>     prevent corrupted files, not an actual security feature.
>>     Cheers,
>>     Joern.
>>     On 07.05.2010, at 09:26, Elisha Ebenezer wrote:
>>
>>
>>     Hi Ceki,
>>     I'm trying to push to use Slf4j and logback in our project and my
>>     company wants me to get the MD5 or SHA1 hashes or the code-signing
>>     certs to verify the integrity of downloaded files.
>>
>>     Though repo1.maven.org <http://repo1.maven.org/> site provides the
>>     hashes, we are not sure whether the war and the hash are uploaded
>>     by genuine party or not.
>>
>>     As you are the owner of the project, I request you to kindly
>>     publish the hashes or certs on website's download page.. which can
>>     be cross-checked with the downloaded war and/or also with the
>>     maven repository.
>>
>>     Kindly do the needful and oblige.
>>
>>     Thanks,
>>     Elisha Ebenezer. _______________________________________________

More information about the slf4j-user mailing list