Configure pgpverify-maven-plugin to verify signatures of all embedded artifacts using independently verified keys. Check signature of all other dependencies using in-band keys if available.
diff --git a/any.asc.txt b/any.asc.txt
index 6e60f63..a418c9a 100644
--- a/any.asc.txt
+++ b/any.asc.txt
@@ -3,4 +3,4 @@
javax.inject = noSig
org.codehaus.jackson = noSig
org.ow2.asm:*:[6.0,7.2) = noSig
-net.jcip = noSig
+net.jcip = noSig
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 6d1a421..6e85468 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,27 +123,47 @@
</executions>
<configuration>
<keysMapLocations>
- <!-- Verify signatures of Sling Artifacts -->
- <keysMapLocation>
- <location>${project.basedir}/sling.asc.txt</location>
- </keysMapLocation>
- <!-- Verify signatures of Shibboleth and OpenSAML Artifacts -->
+ <!-- Verify Signatures of Shibboleth, OpenSAML and any other Embedded Artifacts -->
<keysMapLocation>
<location>${project.basedir}/shibboleth.asc.txt</location>
</keysMapLocation>
- <!-- for any other artifacts use signature provided in-band,
+ <!-- all other artifacts use signature provided in-band,
or configure them unsigned in any.asc.txt -->
<keysMapLocation>
<location>${project.basedir}/any.asc.txt</location>
<exclude>
- <pattern>org.apache.sling:.*</pattern>
- </exclude>
- <exclude>
<pattern>net.shibboleth.utilities:.*</pattern>
</exclude>
<exclude>
<pattern>org.opensaml:.*</pattern>
</exclude>
+ <exclude>
+ <pattern>io.dropwizard.metrics:metrics-core.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>com.google.guava:guava.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>com.google.guava:failureaccess.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.checkerframework:checker-qual.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.apache.velocity:.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>commons-lang:commons-lang.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>com.google.errorprone:error_prone_annotations.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.apache.santuario:xmlsec.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.cryptacular:cryptacular.*</pattern>
+ </exclude>
</keysMapLocation>
</keysMapLocations>
</configuration>
diff --git a/shibboleth.asc.txt b/shibboleth.asc.txt
index 2e76188..104be1b 100644
--- a/shibboleth.asc.txt
+++ b/shibboleth.asc.txt
@@ -22,4 +22,15 @@
0x0E0CA56D354132B5E646C25F49A1796B9B494CB8, \ # putmanb@georgetown.edu
0x4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0, \ # rdw@steadingsoftware.com
0xDCAA15007BED9DE690CD9523378B845402277962, \ # cantor.2@osu.edu
- 0x796D70C89BBF8D958925F2ED277EC86A07CEEB8B # tzeller@dragonacea.biz
\ No newline at end of file
+ 0x796D70C89BBF8D958925F2ED277EC86A07CEEB8B # tzeller@dragonacea.biz
+
+# Embedded Dependencies
+io.dropwizard.metrics:metrics-core = 0x0B9236488A3B927470B4027D2FC1B61A8D1F4BB0
+com.google.guava:guava = 0xBDB5FA4FE719D787FB3D3197F6D4A1D411E9D1AE
+com.google.guava:failureaccess = 0x56ED3B4843DAACC79DE555557457CA33C3CE9E15
+org.checkerframework:checker-qual = 0x19BEAB2D799C020F17C69126B16698A4ADF4D638
+org.apache.velocity = 0xCE4439C1BEF3DA83B1832F9DBEFEEF227A98B809
+commons-lang:commons-lang = 0xD196A5E3E70732EEB2E5007F1861C322C56014B2
+com.google.errorprone:error_prone_annotations = 0x7615AD56144DF2376F49D98B1669C4BB543E0445
+org.apache.santuario:xmlsec = 0xDB45ECD19B97514F727105AE67BF80B10AD53983
+org.cryptacular:cryptacular = 0x38319E05F62674572CDF886170B2EBE96C112CC9
diff --git a/sling.asc.txt b/sling.asc.txt
deleted file mode 100644
index c671916..0000000
--- a/sling.asc.txt
+++ /dev/null
@@ -1,40 +0,0 @@
-# Sling
-org.apache.sling.* = \
- 0x2E510C7DB961B2678888347F947A0DBF7120565E, \ # amitgupt
- 0x49ECC3FCFD4CDF49F308DEC2749391D163EFCDEF, \ # andysch
- 0x5EFF256585AC5FB607F6D46A77B6B69A9E4DCC6B, \ # bdelacretaz
- 0x9E2F96C640A0731D93BF548E37F68FF5015AFC8A, \ # bdelacretaz
- 0x37764359E96FDCB167611DD1F3DE8E1B88E59E02, \ # chetanm
- 0x51E38755C6505CDD1B68AADE7E4CABC10BAE970C, \ # cris
- 0x0CB4FE7E0743AF26610898C24715DC026428BDBA, \ # chris@die-schneider.net
- 0x021752BCCC567AAAA0D33A36132E49D4E41EDC7E, \ # cziegeler
- 0x5FD5145A8BD0317A94DC77133FCF529FF2F27A06, \ # cziegeler
- 0xDDDAB16CE0FCE3A2621C2B80C7E2EC71F0584C92, \ # diru
- 0x4D78347F4F4F868D8EC2CD13F0EAC1A44C6E4124, \ # dklco
- 0x92E9F6990056E6270CE0AC06F61914D470A23041, \ # dulvac
- 0xDEC79067BD234AE7382FB8DEA05D171EA0F1173A, \ # enorman
- 0x369AF551BA81A412C3D413675E27F86EF79B7715, \ # fmeschbe
- 0x34456ED30980EAD976FA50E33C7DEF7D6A42B333, \ # ghenzler
- 0x4456E516E49A0099A5CAFE92B20D113940E47E14, \ # ieb
- 0x8311695BAFF10EA3BB29452B929EE4BE883F7D33, \ # jeb
- 0xC536C8CAA12C0CFC0DF840367D27D8A059FE68E2, \ # joerghoh
- 0x66DF1FE828890A5089146E8C2E92CD9B77F318C8, \ # jsedding
- 0xA04BC4AD36396AD5A52C8FE187DBF05A134B145C, \ # justin
- 0xB91AB7D2121DC6B0A61AA182D7742D58455ECC7C, \ # kwin
- 0xDAD17EDA7D4AFBCD80FF26E1C01B4623441E0165, \ # mpetria
- 0x22C8B59F2A5594913D8140A69645F309F79F6478, \ # mykee
- 0x4B778CBC33364EEF0713CB9808CBBC854D20BF87, \ # npeltier
- 0xCFF2A1BF15608B70F269EA803A3F9BA60E4B0826, \ # olli
- 0x3E97979229E01DFAB9774BBC9054823A859A7237, \ # pauls
- 0x713E024342DC4035115EE6DC9DDD0135964478D3, \ # radu
- 0x0A665C4670B478BF12235CCD339508654F63EC54, \ # rombert
- 0xCFC52824B67086BF2B3228C994C3410848CF8630, \ # simonetripodi
- 0xA4DED8965C2E1C818217CB91CE2B7FF675D78E92, \ # sseifert
- 0x7F2B0F91A223672CC9C110A1595CEDF18CCA28D1, \ # stefanegli
- 0x96D7CED57F1DB4F75CEEEE1D6D1F69DA6B6E60CF, \ # stefanegli
- 0xB96F4ED6841F35D34B0F002650D0BA4202A7966D, \ # stefanegli
- 0xE32D4F1022C616579157F1B11E5AB6D3CF8EBF5F, \ # thecarlhall
- 0xC1ED9FBABD1594E9C12571F54BFE914A44BD29BA, \ # tmaret
- 0x4B5B877280AF29240E45AD21B0EE689D84715909, \ # tomekr
- 0xD7DD1CAC3361852FDCBEDB1BDC7BF9853C1E73F8 # tommaso
-
