Consider enabling the installer to download new versions
Basics
Logistics
Basics
Logistics
Description
Consider enabling the installer to download and validate the signature of the latest IdP (or maybe SP) distribution.
Something like : bin/install.sh --download-latest-version-and-validate-signature
Idea being to use the installer’s keyring to bootstrap trust.
Environment
None
Activity
Show:
Ian YoungJune 22, 2023 at 5:24 PM
Edited
There’s a v5 branch in my shibboleth-idp-docker repository which now does plausible stuff with the current snapshot setup. As Rod says, new-snapshot pulls the "latest" from the Maven metadata instead of using Maven to download the artifact, but that sounds like it would work too.
Tom ZellerJune 22, 2023 at 5:10 PM
I forgot about snapshots not being signed - that was the whole reason I was asking … hmm
I updated this page, since Nexus is not public anymore
Rod WiddowsonJune 22, 2023 at 5:04 PM
Tom, I’ll look but I don’t see it. For a start it wo t be signed.
My suggestion to you is the same as I had for which is to write a small Pom file which depends on it and check the target. I think Ian has an xslt to do it tho.
Tom ZellerJune 22, 2023 at 4:58 PM
Rod - is there any way update.sh could download the latest 5.0.0-SNAPSHOT (for testing) or is that too much to ask ?
Consider enabling the installer to download and validate the signature of the latest IdP (or maybe SP) distribution.
Something like :
bin/install.sh --download-latest-version-and-validate-signature
Idea being to use the installer’s keyring to bootstrap trust.