[slf4j-user] Signatures for verifying Slf4j

Elisha Ebenezer elisha.ebenezer at gmail.com
Wed May 12 10:03:38 CEST 2010


Hi Ceki,
Can you please provide us an update on when can we expect the
slf4j (and logback) shipped as signed jars. And also, please consider
publishing md5/sha1 checksums on your site.
This would help us to push for using slf4j in security-conscious
organizations.

Thanks,
Elisha Ebenezer

On Sat, May 8, 2010 at 8:44 PM, Joern Huxhorn <jhuxhorn at googlemail.com>wrote:

>  Hi Jeff,
>
> thank you very much for this information and your article! I wasn't aware
> of this plugin.
>
> I just changed my build process for Lilith accordingly.
> See
> http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f
>
> I had to jump through some loops, though, since I have gpg2 instead of gpg:
>
> The following two properties had to be added to my pom:
>  <gpg.useagent>true</gpg.useagent>
> <gpg.keyname>740A1840</gpg.keyname>
>
> The first one makes sure that gpg isn't complaining about an invalid option
> (--no-use-agent was removed in gpg2) and doesn't ask for a passphrase
> anymore.
> This was quite tricky since the documentation of maven-gpg-plugin says that
> it's called useAgent, which it isn't!
>
> The second one selects the correct key used for the signature - which is a
> good idea if you have more than one.
>
> I wanted to comment on your article but, unfortunately, comments are
> disabled.
>
> Cheers,
> Joern.
>
>  On 08.05.2010, at 03:23, Jeff Jensen wrote:
>
>   It is best if the artifacts are signed.  Sometime in the near future,
> Central/Nexus will not accept artifacts without being signed.
>
> This would prove the source for you more than the hashes.
>
> Ceki: you should start signing the release artifacts.  It is very easy -
> I’ve done it already on a few products and Sonatype has a very good page
> describing how.  Maven will do it automatically for you:
>
> http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven
>
>
>
>  *From:* slf4j-user-bounces at qos.ch [mailto:slf4j-user-bounces at qos.ch] *On
> Behalf Of *Joern Huxhorn
> *Sent:* Friday, May 07, 2010 3:50 AM
> *To:* User list for the slf4j project
> *Subject:* Re: [slf4j-user] Signatures for verifying Slf4j
>
> One solution could be the use of signed tags for SLF4J and Logback.
>
>  That way it would be possible to pull the git repository, check the
> signature of the tag and build SLF4J and Logback yourself afterwards.
>  I think the MD5 and SHA1 of Maven repository are merely a way to prevent
> corrupted files, not an actual security feature.
>
>  Cheers,
>  Joern.
>
>  On 07.05.2010, at 09:26, Elisha Ebenezer wrote:
>
>
> Hi Ceki,
> I'm trying to push to use Slf4j and logback in our project and my company
> wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify
> the integrity of downloaded files.
>
> Though repo1.maven.org site provides the hashes, we are not sure whether
> the war and the hash are uploaded by genuine party or not.
>
> As you are the owner of the project, I request you to kindly publish the
> hashes or certs on website's download page.. which can be cross-checked with
> the downloaded war and/or also with the maven repository.
>
> Kindly do the needful and oblige.
>
> Thanks,
> Elisha Ebenezer. _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://qos.ch/mailman/listinfo/slf4j-user
>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://qos.ch/mailman/listinfo/slf4j-user
>
>
>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://qos.ch/mailman/listinfo/slf4j-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://qos.ch/pipermail/slf4j-user/attachments/20100512/07da1b03/attachment.html>


More information about the slf4j-user mailing list