Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add parameter 'strictNoSignature' to make missing signatures explicit in keys map #44
Added maven configuration parameter
The following use cases are covered:
…the keys map. In order to detect and support the use cases "some version of artifact comes without signature" and "strict preselection of artifacts having no signature", the property 'strictNoSignature' will refer to the keys map to verify whether or not having no signature is acceptable for each unsigned artifact. This mode is less strict than 'failNoSignature' as it will be able to accomodate artifacts without signature. At the same time it provides explicit control over which artifacts are acceptable without signature.
- Undid unnecessary change. Remnant of previous experiment. - Updated documentation to better explain how the new configuration parameter strictNoSignature works and what it expects from the keys map content.
The weak signatures-check was mixed up with the PGP signature verification result handling. This is not necessary, given that it is an independent operation, which relies on very little information other than the signature information. Hence moved out to improve readability.
@slawekjaranowski I have moved the weak signature-check up out of the PGP signature content check. This makes the logic a lot more readable and reduces nesting. Could you have a look if you agree, given that this reorders the checks and thus messaging order.