pgpverify:check
Full name:
org.simplify4u.plugins:pgpverify-maven-plugin:1.18.2:check
Description:
Check OpenPGP signature of all project and plugins dependencies.
Attributes:
- Requires a Maven project to be executed.
- Requires dependency resolution of artifacts in scope:
test
. - The goal is thread-safe and supports parallel builds.
- Binds by default to the lifecycle phase:
validate
.
Required Parameters
Name | Type | Since | Description |
---|---|---|---|
<pgpKeyServer> |
String |
1.0.0 |
PGP public key servers address.
From version 1.7.0 you can provide many key servers separated by comma, semicolon or whitespace. From version 1.15.0 hkp/http protocols are deprecated - please use hkps/https for key servers. Default: hkps://keyserver.ubuntu.com, hkps://keys.openpgp.org, hkps://pgp.mit.edu User Property: pgpverify.keyserver |
<pgpKeysCachePath> |
File |
1.0.0 |
The directory for storing cached PGP public keys. Default: ${settings.localRepository}/pgpkeys-cache User Property: pgpverify.keycache |
Optional Parameters
Name | Type | Since | Description |
---|---|---|---|
<disableChecksum> |
boolean |
1.9.0 |
Disable the use of a checksum to check whether the collection of artifacts was validated in a previous run. If enabled and the checksum matches, skip subsequent steps that perform actual downloading of signatures and validation of artifacts against their respective signatures.
Checksums save significant time when repeatedly checking large artifact collections. Default: false User Property: pgpverify.disableChecksum |
<failNoSignature> |
Boolean |
1.1.0 |
Deprecated. Deprecated as of 1.13.0: this requirement can be expressed through the keysMap. Fail the build if any dependency doesn't have a signature. User Property: pgpverify.failNoSignature |
<failWeakSignature> |
boolean |
1.2.0 |
Fail the build if any dependency has a weak signature. Default: false User Property: pgpgverify.failWeakSignature |
<keyNotFoundRefreshHour> |
int |
1.15.0 |
When key does not exist on key servers such information will be stored in cache.
Next checking for key existence will be done after specific hours remain. Default: 24 |
<keysMapLocation> |
List<KeysMapLocationConfig> |
1.1.0 |
Specifies the location of a file that contains the map of dependencies to PGP key. This can be path to local file, path to file on plugin classpath or url address. Since version 1.12.0 - Multiple KeysMap configuration You can use ready keys map: https://github.com/s4u/pgp-keys-map User Property: pgpverify.keysMapLocation Alias: keysMapLocations |
<pgpKeyServerLoadBalance> |
boolean |
1.7.0 |
If many key servers are provided, use all of them.
If set to false only first key server will be used, another as fallback. Default: false User Property: pgpverify.keyserversLoadBalance |
<proxyName> |
String |
1.8.0 |
Choose which proxy to use (id from settings.xml in maven config). Uses no proxy if the proxy was not found. If it is not set, it will take the first active proxy if any or no proxy, if no active proxy was found. User Property: pgpverify.proxyName |
<quiet> |
boolean |
1.4.0 |
Only log errors. Default: false User Property: pgpverify.quiet |
<reportFile> |
File |
1.13.0 |
Path to report file of verification result. Default: ${project.build.directory}/pgpverify-report.json User Property: pgpverify.reportFile |
<reportWrite> |
boolean |
1.13.0 |
Indicate if verification report should be generated. Default: false User Property: pgpverify.reportWrite |
<scope> |
String |
1.0.0 |
Scope used to build dependency list.
This scope indicates up to which scope artifacts will be included. For example, the 'test' scope will include Default: test User Property: pgpverify.scope |
<skip> |
boolean |
1.3.0 |
Skip verification altogether. Default: false User Property: pgpverify.skip |
<strictNoSignature> |
Boolean |
1.5.0 |
Deprecated. Deprecated as of 1.9.0: this requirement can be expressed through the keysMap. Does nothing - to be removed. User Property: pgpverify.strictNoSignature |
<suppressSignatureOkLogging> |
boolean |
1.17.0 |
Suppress Signature OK Default: false User Property: pgpverify.suppressSignatureOkLogging |
<verifyAtypical> |
boolean |
1.6.0 |
Verify dependency artifact in atypical locations:
In addition, it will detect when maven-surefire-plugin version 3 is used, as this will dynamically resolve and load additional artifacts. However, these artifacts are not validated. Default: false User Property: pgpverify.verifyAtypical |
<verifyPluginDependencies> |
boolean |
1.8.0 |
Verify transitive dependencies of build plug-ins.
When enabled, configuration parameter Default: false User Property: pgpverify.verifyPluginDependencies |
<verifyPlugins> |
boolean |
1.5.0 |
Verify Maven build plug-ins. Default: false User Property: pgpverify.verifyPlugins |
<verifyPomFiles> |
boolean |
1.1.0 |
Verify pom files also. Default: true User Property: pgpverify.verifyPomFiles |
<verifyProvidedDependencies> |
boolean |
1.2.0 |
Verify "provided" dependencies, which the JDK or a container provide at runtime. Default: false User Property: pgpverify.verifyProvidedDependencies |
<verifyReactorDependencies> |
boolean |
1.3.0 |
Verify dependencies that are part of the current build (what Maven calls the "reactor").
This setting only affects multi-module builds that have inter-dependencies between modules. It has no effect on single-module projects nor on multi-module projects that do not have dependencies among the modules. In affected builds, if this setting is Default: false User Property: pgpverify.verifyReactorDependencies |
<verifySnapshots> |
boolean |
1.2.0 |
Verify dependencies at a SNAPSHOT version, instead of only verifying full release version dependencies. Default: false User Property: pgpverify.verifySnapshots |
<verifySystemDependencies> |
boolean |
1.2.0 |
Verify "system" dependencies, which are artifacts that have an explicit path specified in the POM, are always available, and are not looked up in a repository. Default: false User Property: pgpverify.verifySystemDependencies |
Parameter Details
<disableChecksum>
Checksums save significant time when repeatedly checking large artifact collections.
- Type:
boolean
- Since:
1.9.0
- Required:
No
- User Property:
pgpverify.disableChecksum
- Default:
false
<failNoSignature>
Deprecated as of 1.13.0: this requirement can be expressed through the keysMap.
- Type:
java.lang.Boolean
- Since:
1.1.0
- Required:
No
- User Property:
pgpverify.failNoSignature
<failWeakSignature>
- Type:
boolean
- Since:
1.2.0
- Required:
No
- User Property:
pgpgverify.failWeakSignature
- Default:
false
<keyNotFoundRefreshHour>
Next checking for key existence will be done after specific hours remain.
- Type:
int
- Since:
1.15.0
- Required:
No
- Default:
24
<keysMapLocation>
Specifies the location of a file that contains the map of dependencies to PGP key.
This can be path to local file, path to file on plugin classpath or url address.
Since version 1.12.0 - Multiple KeysMap configuration
You can use ready keys map: https://github.com/s4u/pgp-keys-map
- Type:
java.util.List<org.simplify4u.plugins.keysmap.KeysMapLocationConfig>
- Since:
1.1.0
- Required:
No
- User Property:
pgpverify.keysMapLocation
- Alias:
keysMapLocations
<pgpKeyServer>
From version 1.7.0 you can provide many key servers separated by comma, semicolon or whitespace.
From version 1.15.0 hkp/http protocols are deprecated - please use hkps/https for key servers.
- Type:
java.lang.String
- Since:
1.0.0
- Required:
Yes
- User Property:
pgpverify.keyserver
- Default:
hkps://keyserver.ubuntu.com, hkps://keys.openpgp.org, hkps://pgp.mit.edu
<pgpKeyServerLoadBalance>
If set to false only first key server will be used, another as fallback.
- Type:
boolean
- Since:
1.7.0
- Required:
No
- User Property:
pgpverify.keyserversLoadBalance
- Default:
false
<pgpKeysCachePath>
- Type:
java.io.File
- Since:
1.0.0
- Required:
Yes
- User Property:
pgpverify.keycache
- Default:
${settings.localRepository}/pgpkeys-cache
<proxyName>
- Type:
java.lang.String
- Since:
1.8.0
- Required:
No
- User Property:
pgpverify.proxyName
<quiet>
- Type:
boolean
- Since:
1.4.0
- Required:
No
- User Property:
pgpverify.quiet
- Default:
false
<reportFile>
Path to report file of verification result.
- Type:
java.io.File
- Since:
1.13.0
- Required:
No
- User Property:
pgpverify.reportFile
- Default:
${project.build.directory}/pgpverify-report.json
<reportWrite>
Indicate if verification report should be generated.
- Type:
boolean
- Since:
1.13.0
- Required:
No
- User Property:
pgpverify.reportWrite
- Default:
false
<scope>
This scope indicates up to which scope artifacts will be included. For example, the 'test' scope will include provided
, compile
, runtime
, and system
scoped dependencies.
- Type:
java.lang.String
- Since:
1.0.0
- Required:
No
- User Property:
pgpverify.scope
- Default:
test
<skip>
- Type:
boolean
- Since:
1.3.0
- Required:
No
- User Property:
pgpverify.skip
- Default:
false
<strictNoSignature>
Deprecated as of 1.9.0: this requirement can be expressed through the keysMap.
- Type:
java.lang.Boolean
- Since:
1.5.0
- Required:
No
- User Property:
pgpverify.strictNoSignature
<suppressSignatureOkLogging>
- Type:
boolean
- Since:
1.17.0
- Required:
No
- User Property:
pgpverify.suppressSignatureOkLogging
- Default:
false
<verifyAtypical>
- annotation processors in org.apache.maven.plugins:maven-compiler-plugin configuration.
In addition, it will detect when maven-surefire-plugin version 3 is used, as this will dynamically resolve and load additional artifacts. However, these artifacts are not validated.
- Type:
boolean
- Since:
1.6.0
- Required:
No
- User Property:
pgpverify.verifyAtypical
- Default:
false
<verifyPluginDependencies>
When enabled, configuration parameter verifyPlugins
is enabled implicitly.
- Type:
boolean
- Since:
1.8.0
- Required:
No
- User Property:
pgpverify.verifyPluginDependencies
- Default:
false
<verifyPlugins>
- Type:
boolean
- Since:
1.5.0
- Required:
No
- User Property:
pgpverify.verifyPlugins
- Default:
false
<verifyPomFiles>
- Type:
boolean
- Since:
1.1.0
- Required:
No
- User Property:
pgpverify.verifyPomFiles
- Default:
true
<verifyProvidedDependencies>
- Type:
boolean
- Since:
1.2.0
- Required:
No
- User Property:
pgpverify.verifyProvidedDependencies
- Default:
false
<verifyReactorDependencies>
This setting only affects multi-module builds that have inter-dependencies between modules. It has no effect on single-module projects nor on multi-module projects that do not have dependencies among the modules.
In affected builds, if this setting is true
, and the current build is not applying GPG signatures, then the output artifacts of some of the modules in the build will not be signed. Consequently, other modules within the build that depend on those output artifacts will not pass the GPG signature check because they are unsigned. When this setting is false
, GPG signatures are not checked on output artifacts of modules in the current build, to avoid this issue.
- Type:
boolean
- Since:
1.3.0
- Required:
No
- User Property:
pgpverify.verifyReactorDependencies
- Default:
false
<verifySnapshots>
- Type:
boolean
- Since:
1.2.0
- Required:
No
- User Property:
pgpverify.verifySnapshots
- Default:
false
<verifySystemDependencies>
- Type:
boolean
- Since:
1.2.0
- Required:
No
- User Property:
pgpverify.verifySystemDependencies
- Default:
false