►
Description
Did you ever use PGP to sign libraries published to Maven Central? Did you try to check PGP signatures when downloading dependencies, to make sure you are not affected by a Software Supply Chain issue?
Required PGP keys management is usually not the best experience developers have…
That’s why the sigstore project was introduced recently, promising easy keyless signatures. It started with Docker images signatures, but a lot of effort is put to extend its usage to every package registry, including Maven Central.
Let’s see how sigstore works and how it is expected to improve not only the signing experience, but also the verification process of artifacts at Maven Central.
HERVÉ BOUTEMY
Maven Committer since 2007 and PMC member, Apache Software Foundation member since 2011.
I worked on each and every parts of Maven code too improve user experience.
A
It's
time
welcome
to
the
match
to
the
last
match.
The
last
session
of
the
of
the
day
of
the
devox
day,
we'll
have
a
super
session
in
heavyweight
signature
category
for
for
Maven
Central
on
the
left,
we'll
have
the
current
champion
pgp
the
good
old
standard
that
is
there
for
20
years
on
the
right.
We
have
the
new
Joiner
six
door,
which
is
promising
to
win
absolutely
everything
in
the
next
20
years.
Let's
see
who
will
win?
A
I
will
be
your
referee
to
today.
So
I
am
healthy
with
me
on
my
day,
I'm
working
as
as
a
Solutions
architect
at
sonotype,
a
company
that
works
on
software
supply
chain,
open
source
components
and
that
is
managing
Maven
Central
repository.
So
I
work
with
a
team
who
manage
Maven
Central
repository
and
on
my
nights
and
weekends.
A
I
am
a
maven
developer.
I
am
a
maven
maintainer
I
am
an
Apache
software
Foundation
member
and
I
worked
on
many
aspects
for
the
last
17
years
about
Maven
and
currently
I'm
working
for
the
last
years
on
reproducible
bills
and
on
six
store
integration,
both
from
a
maven
point
of
view
and
helping
to
deploy
it
for
Maven
Central
I
won't
be
able
to
do
it
during
the
whole.
The
whole
session.
A
A
Oh
three,
people
it's
much
more
than
usual,
even
if
it's
only
free
and
what
was
your
experience
when,
when
checking
was
it
good
for
nobody?
Oh,
it
was
good.
We
have
only
one
guy
who
is
happy
with
who
is
verifying
and
gpg
signatures,
so
it
is
the
key
problem
we
have.
We
talk
about
signatures,
every
Everybody
Wants
to
sign
perfect,
but
nobody
checks
the
signature.
So,
let's
start,
why
are
we
talking
about
signature?
What
is
why
is
it
important?
A
Currently,
we
are
in
in
a
world
where
we
assemble
a
lot
of
components
coming
from
everywhere
in
in
every
ecosystem,
Java
npm
nugget.
We
consume
a
lot
of
components
coming
from
everywhere
and
this
the
number
of
components
we
we
ingest
have
such
a
high
load
had
volume
in
our
production
applications
that
they
become
a
vector
of
attack
for
hackers.
A
Until
until
a
three
a
few
years
ago,
hackers
were
waiting
for
vulnerabilities,
they
were
just
standing
waiting
for
a
vulnerable
component
to
be
found,
and
then
they
started
to
attack
a
company
that
did
not
upgrade
so
it
lets
us
some
time
to
to
fix
the
issues,
but
in
fact
you
know
waiting
for
something
to
happen.
It's
not
proactive.
Hackers
are
professionals;
no,
they
need
to
be
proactive.
Why
wait
for
a
vulnerability
to
be
found?
A
No,
it's
much
better
to
inject
your
malicious
code
directly
and
trick
people
to
download
your
your
artifact
that
you,
where
you
put
your
own
malwares
to
to
to
inject
in
in
the
application,
without
even
waiting
for
an
even
vulnerability
to
be
found.
It
is
what
is
currently
happening
since
a
few
years
that
is
really
increasing
in
an
incredible
rate
and
this
the
principle
for
for
hackers
to
know
inject
malware
in
the
supply
chain
is
quite
basic.
We
we
have,
we
have
projects,
we
have
open
source
project
providing
releases
of
their
project.
A
A
So
when
the
the
the
project
published
new
releases,
they
publish
it
somewhere
in
Maven
Central
in
in
their
own
public
space
and
developer
expects
to
download
The
Right
artifact
from
the
project.
It
is
the
expectation,
if
writes
in
his
bill,
to
what
are
the
coordinates,
and
he
hopes
that
everything
is
downloaded
straightforward.
A
The
change
is
quite
easy.
You
know
I
download
everything
is
easy
developers,
don't
really
get
how
the
line
between
the
open
source
project
and
his
laptop
is
not
so
straight.
It's
much
more
fuzzy.
There
are
mirrors.
There
are
other
repositories
that
may
even
Central
they
are.
There
are
a
lot
of
places
where,
in
fact,
hackers
are
really
oh.
That
fuzzy
is
that
noise
in
the
middle
is
perfect
to
try
too
hard
to
to
hide
a
bad
component,
a
malicious
component.
A
If
I
could
track
the
developer
to
to
use
my
components
instead
of
the
expected
official
component,
it
will.
It
would
be
nice
because
the
developers
who
thinks
he
gets
the
right
one
has
my
malicious
one.
This
is
what
attacks
of
on
supply
chain
do.
It
is
what
happens
every
day,
and
this
is
what
signatures
want
to
to
fix,
wants
to
avoid
and
the
the
principle
for
that
is
that
the
the
public
project
has
an
identity.
We
know
the
the
public
project
it
has.
It
has
a
key
it
has.
A
A
When
checking
the
signature,
the
official
signature,
the
the
the
developer,
will,
will
detect
that
the
component
is
not
a
component
that
was
signed
by
the
official
project,
so
it
knows
that
it
must
not
run
it.
He
must
not
use
it.
Eventually,
the
the
hacker
can
has
himself
an
identity
which
is,
of
course
different
than
the
identity
of
the
project
managers.
He
could
sign
his
artifacts,
but
why?
A
If
the
developer
downloads,
the
bad
component
and
downloads,
the
right
signature
for
the
bad
component,
but
right
means
the
signature
that
is
visibly
done
by
the
hacker
and
not
by
the
project.
Why
would
the
developer
when
he
checks
accepts
from
from
the
hacker
instead
of
accepting
the
the
the
component
from
the
project?
A
A
If
nobody
checks
signatures
there
is
it's
not
useful
to
someone,
because
we
can
all
summon
and
if
everybody
just
forgets
about
about
checking
the
hackers
will
will
be,
will
just
provide
the
bad,
the
bad
component
and
it
works,
and
this
is
why
we
have
signatures
on
Maven
Central
for
years
with
pgp.
So
let's
have
a
look.
Why
are
we
talking
about
changing
pgp?
Why
are
we
talking
about
about
not
using
what
we
use,
what
we
have
for
20
years?
It
works.
A
A
It
is
so
he
created
it.
He
created
a
company
to
maintain
it
in
fact
created
cryptography
for
for
public,
for
public
people
and
and
he
had
given
it
was
the
first
time
public
cryptography
was
provided
to
to
everybody
to
to
be
able
to
distribute
it.
It
had
to
make
on
his
proprietary
software.
He
had
to
make
the
algorithm
public,
and
this
is
how
pgp
became
the
de
facto
standard
for
people
who
wanted
to
have
digital
signature
or
encryption,
of
course,
having
public
algorithm
on.
A
A
proprietary
implementation,
The
Next
Step,
has
been
done
near
to
a
20
20
near
the
the
20th
century
to
in
fact,
from
the
from
the
public
algorithm.
He
wants
to
do
a
standard,
open,
pgp
standard,
which
is
the
the
official
way
to
define
how
pgp
was
working,
but
for
implementation
from
absolutely
everybody,
and
one
key
implementation
is
the
the
the
open
source
implementation
from
the
free
software
Foundation,
which
which
is
a
new
PG.
A
Is
it
the
same
thing?
Is
it
something
different?
Yes,
gpg
is
the
main
implementation
of
pgp
whoa
user.
Experience
starts
very
well
yeah.
It's
awesome.
The
principle
of
of
pgp
is
based
on
public
and
asymmetric
cryptography.
So
you
have
a
keeper.
You
create
a
keeper
where
you
have
a
private
key
that
you
get.
You
keep
private,
and
then
you
publish
a
public
key
for
everybody's
conception
and
based
on
this
keeper.
A
A
It's
not
our
use
case.
The
other
use
case,
which
is
the
use
case
we
we
wanted
to
to
dive
in
today,
is
digital
signature.
This
this
case
we
use
the
private
Keys,
the
the
official,
the
the
people
who
are
officially
in
owning
the
private
key,
can
sign
the
content
can
sign
the
content.
Then
anybody
getting
the
the
public
key
can
can
check
the
signal,
the
signatures
against
the
content
and
be
sure
that
the
content
was
the
content
that
was
signed
by
the
the
owner
of
the
of
the
content.
A
In
our
case,
it
is
the
the
project
the
binary
we
are
trying
to
to
download
and
pgp.
So
is
the
de
facto
standard
since
since
that
time,
it
is
a
defective
standard
for
every
for
everybody
in
doing
encryption
or
signature.
So
this
is
why
we
deployed
it
at
Maven
Central.
In
fact,
before
even
deploying
it
at
Maven
Central
level,
pgp
was
deployed
at
Apache
Apache
software
Foundation
level,
so
in
22,
given
Apache
software
Foundation
had
distributed
open
source
code
through
mirrors
through
a
lot
of
of
ways.
A
So
you
because
bandwiz
at
that
time
was
not
so
easy
to
get.
So
there
were
a
lot
of
universities
mirroring
content
and
it
is
exactly
the
type
of
of
injections
that
could
be
possible.
Someone
could
mirror
the
official
site
and
just
change
one
thing
in
the
middle.
So
this
is
why
Apache
software
foundation
and
forced
since
22
that's
every
source
code
release
that
is
published
since
that
time
is
pgp
science.
You
have
no
choice,
it
is
pgp
7.
It
is
part
of
the
Apache
software
Foundation
governance.
A
Then
each
time
you
download
from
public
mirror
a
binary
from
Apache
software
Foundation.
In
fact,
we
urge
you.
We
we
have
instruction
to
download
the
the
signature
and
checks
the
signature.
So
it's
not
it's
not
it's
not
by
inadvertence,
then
on
every
Apache
project.
When
you,
when
you
go
to
the
download
section.
A
We
highly
recommend
to
check
the
signature,
Nobody
Does
it
it's
it's
your
problem,
but
we
we
highly
recommend
to
check
the
signature
and
we
explain
how
to
check
it,
how
to
use
gpg
to
verify
the
signature,
to
discover
that
you
don't
know
the
key,
so
good
news
foundation
in
the
governance
we
have.
Each
project
has
a
case
File
that
Define,
which
keys
are
expected,
allowed
to
publish
that
project.
A
So
this
is
what
Apache
software
Foundation
does
for
years.
So
when
Apache
Maven
project
created
yeah
created
Maven
Central,
it
was
created
for
Maven
one,
so
it
was
created
very
early,
even
before
the
the
pgp
signature
was
was
enforced
at
Apache
software
Foundation
level.
So
that's
why
the
the
repository
that
was
created
at
that
time,
which
is
the
the
repository
that
is
nowadays
defunct,
the
the
repo
one
that
may
even.org
maven
there
was
no
signature
supported.
Okay,
then
we
created
Maven
2
and
for
Miriam
Maven
2.
A
We
created
a
new
repository
because
we
wanted
to
improve
the
format
we
wanted.
We
wanted
to
have
the
reverse:
the
famous
rivers
DNS
group
ID,
that
was
that
is
transformed
into
into
directories.
We
wanted
to
have
to
have
the
famous
project
of
object.
The
pub
V4
object,
bundle
to
to
to
download
to
Define
dependencies
and
so
on.
Then
we
stopped
maintaining
the
maven
one
made
the
maven
Central
One
repository.
We
created
Maven
Central
repository
as
it
is
known.
No
and
now
you
understand
why
it
is
written
in
the
in
the
repository
URL.
A
It
is
written
maven
2.,
and
on
top
of
that,
we
added
to
Maven
and
and
Central
repository.
We
added
support
for
for
pgp,
so
publication
of
this
signature
files
and
not
only
we
support
it,
but
we
force
everybody
wanting
to
publish
to
Maven
sample
to
provide
exactly
the
same
type
of
signature
that
we
provide
that
Apache
software
Foundation
expects
from
from
Apache
projects.
So
this
is
why,
since
2006,
every
artifact
that
you
you
find
from
Maven
Central
has
a
signature.
A
Nobody
checks,
but
it
is
available
artifacts
before
that
time.
Don't
have
signature,
because
at
that
time
we
we
did
not
enforce
it
and
from
the
experience
of
running
that
for
for
now
20
20
near
20
years,
we
found
the
shortcomings,
the
shortcomings
with
pgp,
because
honestly
Keys
management
is
just
quite
complex
for
users.
The
first
time
you
need
to
read
the
documentation
to
create
your
key.
It's
something!
A
Then
you
you
put
your
your
key
somewhere,
your
private
key,
because
your
private
key
is
is
very
important
and
then
you
lose
it.
What
do
you
do?
Then?
You,
you
are
traveling.
Oh
I
did
not
copy.
My
key
from
my
primary
computer
to
the
second
one.
Oh
I
can
do
a
release
because
I
don't
have
my
private
key.
Currently
I
will
I
will
have
to
wait
to
come
back
home.
A
Oh
what
happens
if
your
key
is
stolen,
so
managing
K
is
not
only
the
initial
creation
you
you
have
to
to
imagine
about
rotating
here,
because
Mikey
from
10
years
ago.
Is
it
still
valid,
given
algorithms
have
changed
so
oh
I
need
to
learn
one
more
thing
about
cryptographic:
algorithm
I
have
no!
No,
no
sorry,
it's
not
possible.
A
It's
a
pain
to
sign.
Signing
with
pgp
is
really
your
pain,
and
this
is
exactly
what
happens
when
when
we,
when
I
call
it
at
the
beginning
of
the
talk,
it's
not
fun
but
imagine
signing
is
not
the
most
important
thing.
What
is
important
is
to
check
what
is
the
equivalent
to
the
Apache
software
Foundation
Keys
file.
A
You
know
where,
where
there's
a
project
says,
which
keys
are
low
allowed
to
publish
something
for
Maven
for
for
httpd,
for
for
any
Apache
project,
you
don't
have
it
and
the
and
the
the
the
weird
thing
is
that
if
you
you
look
at
the
instructions
to
verify
to
verify
a
signature,
you
have
an
email,
do
not
trust
the
email.
It
is
not
checked.
So
if
I
want
I
create
just
no
a
key
with
Superman
a
devox.be
I,
don't
own
this
email,
but
I
can
create
a
key.
A
It
is
a
public
key
and
it
will
be
my
key
so
so
the
only
way
to
know
a
key
is
to
have
its
hexadecimal
ID.
You
know
the
thing
that
is
at
that
time.
It
was.
It
was
said
as
a
as
a
nice
thing,
because
you
could
put
it
on
your
card
on
yours
and
give
your
key
to
to
people
around
you
does
this
now.
It
has
been
thought
in
the
past
Century
there
was.
There
is
a
notion
of
key
signing
party
with
web
of
trust,
something
that
that
was
expected
to
be
fun.
A
Whoever
went
to
a
key
signing
party,
was
it
fun,
no
yeah,
so
descending
party?
We,
we
don't
do
it,
so
the
model
of
trust
of
pgp
did
not
scale.
So
checking
is
even
worse.
The
paying
that
signing.
Imagine
you
didn't
like
sign.
You
didn't
check
it's.
Even
it's
even
much
more
a
pain
to
some
to
check
signatures.
This
is
yes,
your
question.
A
Why
do
we
do?
We
need
web
of
trust
in
this
case
in
this?
So
the
question
is:
if
people
distribute
the
the
official
key
is
less
in
their
GitHub
repository
in
a
separate
Place.
Why
is
the
web
of
stress
necessary?
It
is
not,
in
fact
it
is
another
way
because
in
fact,
nobody
in
fact
we
tried
multiple
models.
A
The
model
of
keys
file,
the
model
of
web
of
stress
where,
where
is,
and
none
of
them
really
matched
the
the
the
size
of
the
community
and
the
growth
of
community,
and
this
is
exactly
why
six
star
wants
to
to
wants
to
push
people
to
sign
and
check
science
signatures
and
sorry
it
won't
be
possible
always
with
with
pgp.
We
need
to
do
something
that
has
a
better
user
experience.
So
that's
why
six
store
six
star
promise
is
to
have
a
nice
easy
key,
less
signature
experience
both
for
signing
and
checking
signatures.
A
So
it
is
quite
a
new
project.
It
was
only
created
Min
2020,
but
it
is
quite
successful,
so
it
it
was
donated
to
the
Linux
foundation
and
is
all
is
nowadays
managed
under
open
security,
open
source
security,
software
Foundation
with
multiple
companies
backing
the
the
efforts
and
the
first
really
is
of
something
usable
from
from
from
Sixto
was,
was
released
one
year
ago
it
was
cosine.
Maybe
you
have.
A
You
have
already
used
cosine,
so
it
was
the
first,
the
first
release
to
sign
and
verify
signatures,
not
yet
a
version,
a
keyless
version,
so
it
was,
it
is
classical
case,
but
it
was
the
first
release
and
the
work
on
keyless,
keyless,
workflows,
Killer's
way
of
doing
is
a
worker
in
progress
that
is
currently
happening.
That
I
will
explain
where
we
are
at
the
moment
and
but
the
objective.
A
The
ID
is
really
that
what
is
done
should
should
be
used
by
every
repository
in
the
world
Maven
sample,
but
also
npmgs,
Pi,
PR
and
so
on,
and
we
used
by
every
build
tool
that
that
push
or
consume
from
this
repository.
So
there
is
a
huge
work
done
with
many
communities
to
not
only
build
six
store
but
make
integration
and
work
with
with
every
communities
to
use
that,
and
so
six
store
becomes
a
de
facto
standard,
not
only
for
Maven
Central
but
for
every
ecosystems.
A
So
I
will
have
a
a
a
light
overview
of
how
it
works.
Because,
concretely,
how
does
it
work
so
for
killer
signatures?
It
all
starts
with
command
line
tools
or
cosine.
There
is
a
new
tool
that
was
added,
which
is
git
sign,
so
you
have
the
the
it's
open
source.
It's
written
in,
go
you
can
you
you
can
use
it.
Okay,
the
command
line
tools
are
available.
Perfect.
You
have
some
libraries,
you
have
some
documentation,
because
if
you
want
to
to
work
everything
natively
is
written
in
go.
A
You'll
need
server
software
to
to
manage
the
keys
to
manage
all
the
the
hard
thing
that
is,
that
has
to
be
to
be
done
for
the
keyless
aspects,
and
there
are
two
main
parts.
The
first
one
is
Falco
it
is.
It
is
a
certificate
Authority
that
will
that
will
provide
short-lived
certificates.
That
will
attest
the
the
the
the
identity
of
the
signers,
and
for
for
that
identity
it
will
be.
A
It
will
use
normal
standards
from
nowadays
open
ID
connect
and
then
once
the
certificate
is
done,
every
signatures
will
be
registered,
will
be
recorded
in
in
six
store,
recall
that
will
store
every
signature
and
in
a
non-modifiable
way
it
is
happened
only.
It
will
have
to
be
checked
by
all
the
community
to
be
sure
that
what
was
signed
is
really
something
that
is
not
tricked
in
in
the
future
and
the.
So
all
that
is
software.
You
can,
you
can
download
it.
You
can
install
it
home.
A
You
can
deploy
your
own
Falco
or
recall
servers.
Then
you,
you
will
have
your
all
six
store
infrastructure
and
the
the
inter
the
unexpected.
The
the
the
unusual
aspect,
in
addition
to
this
software
is
that
six
star
also
works
on
providing
one
Public
Service,
one
public
instance
of
Falco
and
Rico
for
open
source
projects.
A
Instead
of
every
open
source
project,
every
open
source
Foundation
to
create
their
own
Rico
and
and
circle
instance,
we
will
try
to
create
a
common
one,
a
common
instance
that
will
be
Community,
managed,
managed
by
multiple
actors
from
open
source
that
will
manage
together,
the
trust
recall
from
from,
and
the
The
Trusted
falcure
instance
for
every
open
source
ecosystems.
So
people
will
be
able
to
if
they
are
in
private
situations,
they
can
host
everything
from
from
their
self.
A
Without
discussing
it
is
open
source
you
can,
you
can
do
it
yourself,
but
for
open
source
you
can
use
the
public
instance
and
the
the
workflow,
because
everything
is
about.
I
talked
about
a
little
bit
about
architecture
of
your.
The
key
thing
is
about
what
is
the
experience
to
to
do
that?
So
what
is
a
workflow
to
sign?
It
all
starts
by
generating
locally
a
session
keeper
that
will
be
that
will
be
thrown
away
after
the
signing
session.
A
So
it
just
temporary
keeper
and
you
can
sign
the
find,
the
files
that
that
you
want.
So
you
you
sign
everything
that
you
want
to
be
to
be
signed
during
during
the
the
six
door
session
then
starts
the
the
keyless
aspect
that
will
record
that
will
check
that
will
prove
that
the
signature
has
been
done
by
someone
who
is
the
trusted
people
we
we
expect
to
to
have
done
the
signature,
and
this
is
where
sokio
enters
in
the
loop.
A
You
contact
Falco,
to
ask
for
a
temporary
short-lived
certificate
and
Falco
ask
an
open,
ID
connect
identity
provider
to
to
know
who
you
are
because
everything
is
about
identity.
So,
let's
use
a
normal
standard
that
there
will
be
everybody
used
for
email,
open,
the
open,
ID
connect
and
Falco
use
that
identity
to
create
a
short-lived
certificate.
A
A
few
months
ago,
when
I
prepared
the
presentation,
it
was
20
minutes
short-lived.
The
guys
here
changed
to
10
minutes.
I,
don't
know
when
so
short
means
men's
20
minutes
a
few
months
ago.
Numbers
no
short
is
10
minutes.
Okay,
I,
don't
care!
It's
the
same,
so
you
have
that
certificate
that
will
attest
the
the
identity
of
the
signer
for
10
minutes
now,
and
then
you
will
use
Rico
to
register
the
different
signatures.
A
You
did
and
recall
just
prove
that
you
signed
with
the
private
key
that
was
valid
and
the
certificate
that
was
valid
for
only
that
10
minutes,
so
the
certificate,
the
the
the
keypad
you
you
generated
in
10
minutes,
even
if
you
did
not
throw
it,
someone
got
it
on
your
computer
in
10
minutes
it's
over.
It's
not
usable
anymore,
because
the
certificate
won't
accept
recall,
won't
accept
a
certificate
for
a
signature
done
with
with
this
private
keeper.
After
the
the
famous
10
minutes
of
of
certificate
time
span.
A
Yes,
so
I
did
a
small,
a
small
project,
a
small
Java
project
that
will
that
will
just
sign
a
file
with
with
a
basic
command
line
tool
with
only
Java
code
and
that
Java
code
will
will
show
precisely
each
step
of
the
workflow
I
just
showed
it
creates
first,
a
keeper
locally.
It
creates
a
key
pair
with
Java
Java,
javax
security
components
and
that
we
we
get
a
key
pair,
a
private
key
public
key
perfect
then
with
local
local
crypto
code.
We
can
sign
the
file
and
then
we
have
the
signature
of
the
file.
A
A
No,
it
works!
So!
Yes,
when,
when
we,
when
we
launch
the
open
ID
connect
session,
it
propos
you
the
different,
open,
ID
IDP
that
are
supported
by
the
public,
so
I'm
using
the
public
instance
So.
Currently
there
is
a
GitHub
IDP,
Google,
IDP
and
Microsoft
one.
So
if
I
log,
in
with
with
my
Google
account
I,
have
multiple
accounts,
so
I
choose
my
identity.
Yes,
I
have
three
identities,
yes,
so
I
chose
to
to
sign
with
mine
and
when
the
the
identification,
the
the
authentication
has
been
done.
A
A
A
So
we'll
call
the
recall
with
the
content
of
of
our
signature,
so
we
Define
the
record
that
we
have
to
do
the
the
hash
of
the
file
that
we
signed
and
the
signature
that
was
that
was
done
previously,
with
with
the
certificate
that
that
we
got
and
in
return
six
store
sends
us
a
proof
of
signature
that
we
that
we
will
be
able
as
a
proof
that
we
signed
during
the
famous
10
minutes.
So
the
the
proof
of
signatures
is
available
directly
from
recore
server.
A
So
you
you
can
see
the
binary
content.
Of
course
the
binary
content
is
not
very
funny.
So
that's
why
nice
people
from
the
from
the
project
created
a
UI
where
you
have
that
that
data
perfectly
decoded
and
perfectly
understandable,
and
then
you
see
that's
my
my
certificate
and
my
record
was
done
by
six
store.
It
was
valid.
It
was
valid
only
for
10
minutes,
so
I
in
theory.
I
could
still
use
my
certificate
for
nine
minutes
because
I
just
did
it
I
see
the
algorithm.
A
A
A
A
A
A
Yes,
email
is
nice
because
when
you
can't
trust
the
email-
and
you
perfectly
see
it
is
my
email
I
still
don't
see
precisely.
Why
would
you
trust
my
email
for
for
Maven,
because
it's
my
email?
It's
not
it's,
not
something
at
Apache.
So
on
that
one
I
don't
know
yet.
I
still
need
to
figure
out
how
we
will
do
the
verification
in
every
detail.
Clearly,
the
situation
is
way
better
than
with
pgp,
because
it
is
human
understandable.
A
A
A
You
can,
nobody
will
know
it,
so
nobody
will
be
able
to
to
check
it.
So
it's
not
yet
fully
ready,
but,
as
you
can
see
from
the
demo,
we
we
have
code.
We
have
prototypes
to
sign
exactly
in
in
full
Java
the
ex
the
exact
same
thing
that
cosine
does
even
cosine.
It's
experimental,
it's
not
something
that
is
yet
completely
finalized.
It
will
be
soon,
but
we
can
do
it
in
Java.
It
works.
So
we
we
signed
a
few
artifacts,
it
works.
A
A
A
Everything
is
online,
I
did
not
show
you
any
file
that
is
stored
anywhere,
we'll
need
to
store
the
file
on
Maven
Central
to
be
able
to
know
that
an
artifact
that
has
been
downloaded
from
my
events
as
well
has
been
signed,
the
equivalent
of
the
dot
ask
file
for
for
pgp.
We
will
need
it
so
working
on
that
we
we
created
a
few
prototypes.
Where,
for
each
sign
file,
we
had
one
signature
file,
one
one
check
file
one
record
entry.
A
We
had
two
or
three
files
for
each
file
that
is
published
to
Maven
sunflower.
Then
there
is
a
bunch
of
additional
files
required
by
Maven
Central.
It
was
a
mess,
so
we
we
thought
a
little
bit.
How
can
we
make
it,
make
it
more
sustainable
for
Maven
Central,
and
this
is
something
that
in
fact,
at
Maven
Central.
We
are
not
the
only
one
who
had
the
same.
The
same
question:
Pi
Pi
has
exactly
the
same
question.
Npmgs
asked
the
same
question:
how
to
how
to
store
it
in
one
file?
A
Sorry,
not
a
bunch
of
file.
So
this
is
why
this
question
has
been
taken
in
charge
by
the
six
door
project
the
go
one,
the
native
one,
and
there
is
a
work
in
progress
to
do
to
define
the
former
the
format
of
the
of
the
file
that
will
permit
to
check
signature
without
contacting
recall
without
so
offline
checks
like
we
do
with
ospgp
signatures.
It
is
a
work
in
progress.
A
Last
week
it
was
promised
to
be
done
for
this
week.
You
know
we
are
an
idea
in
a
few
weeks.
It
should
be
okay,
so
this
format
is
really
what
we
are
waiting
for
to
to
to
know,
implement
it
in
Java.
So
Apple
will
do
it
in
six
dollar
Java,
very
fast,
I'm,
confident,
then
we
will
be
able
to
test
it
to
to
ready
to
continue
prototyping
to
complete
continue
playing
with
it
from
different
actors.
A
Point
of
view,
because
we
have
Java
experts
who
has
Maven
experts,
we
have
incredible
experts,
we
have
Maven
Central
experts,
everybody
needs
to
to
play
a
little
bit
to
say
to
see
how
it
will
work
in
the
future
and
all
that
play
will
permit
us
to
Define.
What
is
the
former?
The
formal
standard,
what
is
the
formal
storage
standards
that
we
will
do
on
Maven
Central
for
for
storing
a
signature
of
our
releases?
A
Will
we
sign
every
file
from
the
release?
Will
we
sign
it,
and
you
know
that
there
are
source
source
job
there
is
java.ja?
Will
we
sign
each
file
separately?
Will
we
sign
the
module?
Will
we
assign
globally
the
multi-module
release
in
one
one
in
a
row
that
one
we
already
know
that
we
don't
trust
that
it
will
be
feasible,
but
will
we
sign
each
file
or
each
module
good
question?
We
don't?
We
still
don't
know
precisely.
A
We
will
need
to
to
figure
out
in
the
in
the
next
weeks
in
the
next
month,
and
one
key
question
should
not
even
Central
use
the
famous
centralized
shed
six
door
six
door
server.
Should
we
create
our
own
I,
don't
know
because,
yes,
it
is
a
question
to
be
to
be
defined
so
we'll
need
to
Define
precise.
We
know
that
we
played
with
it
for
six
months.
We
have
many
IDs,
it
has
to
be
precise
to
to
Define.
What
do
we
want
to
implement
in
the
next
month?
A
Then
it
will
be
about
implementing
it
and
implementing
means
Implement
at
Maven
Central
level,
because
currently
the
pgp
is
required
for
every
file.
So
when
you
will
put
to
Maven
Central
your
famous
six-store
signature
file,
the
six
star
signature
file
will
have
to
be
pgp
signed.
So
you
have
a
signature
that
is
signed
assigned
by
another
yeah
yeah.
A
Once
we
will
know,
we
will
know
what
is
the
official
format
that
we
will
need
to
support
honestly
signature
does
not
need
another
signature
on
top
of
it,
so
we'll
remove
that
and
the
next
step
will
be.
If
you
use
six
store,
don't
don't
require
pgp.
If
you
use
pgp,
don't
require
a
six
door,
it's
better
to
have
an
or
than
than
Force
everybody
to
use
both
six
store
and
npgp.
So
we
will
Define
when
how
we
will.
We
will
do
that
in
the
future
and
that
one
is
just
for
publishing
to
Maven.
A
Central
then
remember
what
is
important
is
checking
so
and
checking.
Of
course,
Maven
Central
will
check
that
the
that
files
are
signed
when,
when
ingesting
new
components,
but
what
is
important
is
that
the
developer
downloading
component
will
check,
and
this
is
this
will
be
the
work
for
the
build
tools,
so
we
have
in
the
community.
We
are
working
together
with
the
six-store
community.
We
have
Maven
developer
myself,
we
have
and
Jason
vanzil.
We
have
a
multiple
contributors.
We
have
Gradle
developers
from
the
community
from
Gradle
Enterprise.
A
Of
course,
this
will
have
to
be
done
by
other
build
tools
or
whatever
they
are.
They
will
benefit
from
from
the
same
libraries
that
that
we
will
reuse
and
we'll
need
to
Define
both
a
mechanism
to
sign
and
a
mechanism
to
to
check
how
we
need
to
Define
I.
We
don't
have
precise
plan
at
the
at
the
moment.
It
is
really
something
that
where
the
the
details
will
have
to
be
defined
once
we
have
the
format
once
we
have
the
the
greater
plan.
This
is
exactly
what
we
are
working
on.
I
don't
expect.
A
It
will
take
much
time
once
the
format
is
defined
because
we
are
all
in.
We
are
working
together
for
four
months
and
six
months,
so
once
the
plan
is
defined,
we
will
implement
it.
It's
not
so
much
code.
Given
we
have
the
Java
library
that
is
available,
so
six
store
at
Maven
Central
is
not
yet
a
strict
reality.
You
can't
sign
because
everything
will
be
on
record,
but
nobody
will
check.
So
it's
just
for
playing
a
little
bit.
A
You
will
have
to
wait
for
a
few
months,
so
the
the
signature
will
be
visible
will
be
published,
and
then
you
can
work
and
I'm
looking
for
people
interested
to
to
discuss
about
the
checkings,
the
the
signage
signature
checking
tools,
because
it's
something
and
how
to
verify
identities,
because
it
is
a
key
aspect
that
still
needs
to
be
refined.
How
we
will
trust
identities
for
for
project.
A
A
And
then
you
will
check
that.
Okay,
it's
matching
I.
So
so
the
question
is
under
the
process
to
check.
In
fact
you
will
get
the
certificate
and
the
signature.
So
from
a
technical
point
of
view,
you
will
check
that
the
the
algorithm
match
the
key
aspect
of
that.
So
technically
from
from
a
code
perspective,
it
will
be
nice,
so
you
know
now
that
the
artifact
has
been
assigned
by
an
email
from
an
idea
and
then
an
identity
provider.
The
key
question
is:
should
I
trust
that
email
for
that
artifact.
A
I
have
the
certificate,
but
you
know
I
can
me,
as
myself
create
a
certificate
with
my
email
and
and
why
would
we
trust
one
email
or
the
other,
but
technically
many
people
will
can
sign
the
same
artifacts.
So
you
will
have
one
signature
from
someone
who
has
an
email
and
the
key
question
will
be.
How
do
you
check
that
the
the
email
you
have
is
really
a
contributor
to
the
project
to
the
official
projects
that
you
expect
to
have
signed
the
the
binary?
A
It
is
the
key
question:
will
we
go
and
it
has
to
be
automated
a
little
bit,
because
when
you
are
downloading
hundreds
of
artifacts
thousands
in
case
of
JavaScript,
you
won't
read
by
hand
so
we'll
need
to
figure
out
how
how
to
how
to
define
who
to
trust
on
each
on
each
certificate,
because
from
a
pure
cryptographic
point
of
view
it
would
be
okay,
it's
not
the
question
of
cryptography.
It's
a
question
of
trusting
identities.