gammax
03/21/2020, 6:27 PMgammax
03/21/2020, 6:28 PMkoral
03/21/2020, 10:14 PMVova Buberenko
03/22/2020, 11:06 PMgammax
03/22/2020, 11:19 PMGPG key setup (and other configuration) can be done only onceMy point was more that there is a private key to share between developers and so. I know that MavenCentral is not really strict on GPG signing, so that shouldn’t be a major deal. On the other hand, Gradle introduced signature validation since 6.2 so we should probably be sure we know where the key/passphrase is and who can access it.
gammax
03/22/2020, 11:21 PMkoral
03/23/2020, 1:00 AMsloydev
03/23/2020, 7:28 AMgammax
03/24/2020, 12:27 AMEg. uploaded once by admin/owner, no need to share it.That’s actually the point that raises more concern for me. Like I create a key and I upload it on Bintray. What happens if, in a near future, we want to publish directly to Sonatype and we need to sign locally the artifacts?
koral
03/25/2020, 1:38 PMgammax
03/25/2020, 3:21 PMkoral
03/25/2020, 3:26 PMgammax
03/25/2020, 3:27 PMkoral
03/25/2020, 7:28 PMgammax
03/25/2020, 7:29 PMkoral
03/25/2020, 7:33 PMgammax
05/22/2020, 9:46 AMsloydev
05/22/2020, 9:46 AM