Examples
Simple usage
You can try it by running in your project directory:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
If you want check your dependency on each build, please add to your project:
<project>
...
<build>
<!-- To define the plugin version in your parent POM -->
<pluginManagement>
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.18.2</version>
</plugin>
...
</plugins>
</pluginManagement>
<!-- To use the plugin goals in your POM or parent POM -->
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>
</build>
...
</project>
keysMap usage
keysMap with PGP fingerprint from project
<pluginManagement>
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.18.2</version>
<configuration>
<keysMapLocation>${project.basedir}/pgp-keys-map.list</keysMapLocation>
</configuration>
</plugin>
...
</plugins>
</pluginManagement>
keysMap with PGP fingerprint from external artifact
<pluginManagement>
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.18.2</version>
<configuration>
<keysMapLocation>/pgp-keys-map.list</keysMapLocation>
<verifyPlugins>true</verifyPlugins>
<verifyPluginDependencies>true</verifyPluginDependencies>
</configuration>
<dependencies>
<dependency>
<groupId>my.groupId</groupId>
<artifactId>artifact-with-map</artifactId>
<version>x.y.z</version>
</dependency>
</dependencies>
</plugin>
...
</plugins>
</pluginManagement>
keysMap with PGP fingerprint from external resource
<pluginManagement>
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.18.2</version>
<configuration>
<keysMapLocation>https://www.example.com/pgp-keys-map.list</keysMapLocation>
</configuration>
</plugin>
...
</plugins>
</pluginManagement>
Show information about signature
We can see information about signature for a specific artifact, running:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:show -Dartifact=junit:junit:4.12
as a result we get
Artifact:
groupId: junit
artifactId: junit
type: jar
version: 4.12
PGP signature:
version: 4
algorithm: SHA1withRSA
keyId: 0xEFE8086F9E93774E
create date: Thu Dec 04 17:17:33 CET 2014
status: valid
PGP key:
version: 4
algorithm: RSA (Encrypt or Sign)
bits: 2048
fingerprint: 0xD4C89EA4AAF455FD88B22087EFE8086F9E93774E
master key: 0x58E79B6ABC762159DC0B1591164BD2247B936711
create date: Sun Jul 27 14:31:46 CEST 2014
uids: [.... (JUnit Development, 2014) <mail@....>]
By default, information about jar artifact is displayed. You can specify packaging, classifier,
artifact property format is:
groupId:artifactId:version[:packaging[:classifier]]
You can add property showPom to also show information about corresponding pom file.
mvn org.simplify4u.plugins:pgpverify-maven-plugin:show -Dartifact=junit:junit:4.12 -DshowPom
IT tests
Many example of usage can be found in project IT tests:
https://github.com/s4u/pgpverify-maven-plugin/tree/master/src/it