Signature Artifact Specifier

[not too happy with the terminology used here. Open to suggestions]

Version 0.1

Overview

This proposal extends the URI Syntax proposal: http://nagoya.apache.org/wiki/apachewiki.cgi?ASFRepository/URISyntax

Signature artifacts are artifacts used to verify the integrity of another artifact. These include PGP/GPG signatures and keys, MD5 and SHA checksums.

The key aims of this proposal are to:

formalise artifact-specifier for signature artifacts;
provide a set of best practices for such artifacts; and
enable tools to construct a URI to unambigously locate a particular signature artifact using a set of known criteria

An absolute repository URI is written as follows: {{{ repository-uri = access-specifier "/" product-specifier "/"

For signature artifacts, artifact-specifier is: {{{ artifact-specifier = signature-artifact-specifier

For artifacts digitally signed using PGP/GPG, there is an associated KEYS artifact. {{{ key-artifact = pgp-keys

E.g: http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS

Each artifact may have an associated integrity artifact:

{{{ integrity-artifact = artifact-specifier "." sig-type

Where:

E.g: {{{ The artifact:

This approach enables integrity artifacts to be located easily.

Tools can unambigously locate a key artifact given the project-version URI and signature type.

The key artifact URI would be: uri = http://repo.apache.org/apache/ant/1.5.4/pgp/KEYS

Tools can unambigously locate an integrity artifact given the repository URI of the associated artifact, and the signature type.

The integrity artifact URI would be: uri = http://repo.apache.org/apache/ant/1.5.4/jars/ant-1.5.4.jar.md5

ASFRepository/SignatureArtifactSpecifier (last edited 2009-09-20 23:32:20 by localhost)