Loading...

UPDATE: If you are a Maven Central user and looking for the OSSRH or MVNCENTRAL projects, you can continue to use this JIRA. Sonatype is fully committed to supporting its Open Source Software Repository Hosting service, which relies on the projects above. The messaging below is meant for Sonatype employees and users looking for the NEXUS project.

Sonatype concluded use of most of our public-facing Jira projects on May 25, 2023. This includes https://issues.sonatype.org/browse/NEXUS. The decision is necessitated by a need for increased security as well as to replace a system that is almost at “end of life” with Atlassian.

Moving forward, please watch the Release Notes for a list of issues fixed in each product release. Customers with active subscriptions to Sonatype solutions may report defects by raising a support incident at: https://support.sonatype.com.

Users of Sonatype Nexus Repository OSS should file issues in: https://github.com/sonatype/nexus-public. Please see https://github.com/sonatype/nexus-public/issues/105 for more details.

XML

Word

Printable

Details

Type: Publishing Support
Resolution: Out of scope
Priority: Major
Labels:
- security

Group Id:
null
Publishing Hostname:
oss.sonatype.org
Modify publishing permissions?:
No

Description

We noticed that some artifacts in Maven Central had bad/invalid signatures.

It seems it should not be possible to deploy artifacts with bad/invalid signatures to Maven Central.

Would you please consider preventing artifacts with bad signatures from being deployed to Central ?

The responsible party is working on the issue :

https://jira.spring.io/browse/SPR-15623

Thank you!
Tom

Attachments

Activity

People

Assignee:: Joel Orlina

Reporter:: Tom Zeller

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/08/17 09:02 PM

Updated:: 06/05/21 10:22 PM

Resolved:: 06/08/17 09:05 PM

tigCommentSecurity.panel-title