Allow local signature from data JAR to be used before resolving
Key details
Basics
Logistics
Basics
Logistics
Description
If we’re checking an artifact, there are situations in which it would be useful for a local signature resource defined in the data JAR’s localSignatures collection to be located and used before (and therefore overriding) any signature file in the local .m2 repository or fetched from another repository.
This would provide a more targeted alternative for us to work around supply chain issues where the artifact HAS a signature but from a GPG key we can’t authenticate. Rather than accepting the questionable key into the keyring for the artifact’s group (and therefore allowing it to sign any artifact in that group, forever) we’d make a signature overriding the existing one, signed by one of our own keys and add THAT to the group’s keyring.
At present, as I understand it, the localSignatures collection is only examined as a fallback when no signature can be resolved; the proposal here is to reverse that ordering.
If we’re checking an artifact, there are situations in which it would be useful for a local signature resource defined in the data JAR’s
localSignaturescollection to be located and used before (and therefore overriding) any signature file in the local .m2 repository or fetched from another repository.This would provide a more targeted alternative for us to work around supply chain issues where the artifact HAS a signature but from a GPG key we can’t authenticate. Rather than accepting the questionable key into the keyring for the artifact’s group (and therefore allowing it to sign any artifact in that group, forever) we’d make a signature overriding the existing one, signed by one of our own keys and add THAT to the group’s keyring.
At present, as I understand it, the
localSignaturescollection is only examined as a fallback when no signature can be resolved; the proposal here is to reverse that ordering.