I have open sourced several of my projects and have published artifacts on sonatype.org. Is it important to sign your artifacts, does JBoss and other open source publishers sign their code?
A:
Not normally. I think that signed JARs are primarily useful for when you want customers to download your code directly to a JVM instance which is running on a browser or through Web Start; when you're asking the user to trust your applet or application with some additional system permissions, it's important that you have proof that you are who you say you are.
There are a number of other use-cases where you will want to sign, though, usually along the same lines. Eclipse components (possibly OSGi in general), can be signed to provide the user information about who provides the component the user wants to install.
Calum
2010-08-13 13:32:55
+1
A:
It is important and is actually required to get your artifact synced with a trustable repository like Maven Central. From How to Generate PGP Signatures with Maven:
If you are developing software using Maven, you should generate a PGP signature for your releases. Releasing software with valid signatures means that your customers can verify that a software artifact was generated by the original author and that it hasn’t been modified by anyone in transit. Most large OSS forges like the Apache Software Foundation require all projects to be released by a release manager whose key has been signed by other members of the organization, and if you want to synchronize your software artifacts to Maven central you are required to provide pgp signatures.
Whether other people are doing it or not with their own repository is irrelevant.
See also
Pascal Thivent
2010-08-13 13:43:27
True, but if they jump off the bridge, it looks a little more tempting :). I'll read the other documents. Thanks.
2010-08-13 14:04:39
Ok, looks good, I will start signing my code.
2010-08-13 14:11:47
@Walter I enjoyed the bridge analogy but... don't jump :)
Pascal Thivent
2010-08-17 16:52:47