This article also appears in the Maven Central blog.
As custodians of the Maven Central registry, it's important to us here at Sonatype to ensure that Central remains accessible, secure, and modern for users and publishers.
With this in mind, we have been investing heavily in Maven Central over the platform, improving the security of publishing and consumption, and providing a developer experience consistent with expectations of contemporary software registries. This is a wide-ranging effort expected to improve nearly every aspect of the platform.
As we work through design and planning activities, the emergence of Sigstore as a solution to address provenance concerns critical to software supply chains is exciting to us.
Like many other software and package registries, Maven Central currently relies heavily on developer GPG signatures of artifacts to guarantee their authenticity and integrity. While providing some added security, the implementation has an outsize impact on complexity and publication times for our publishers.
And, like other registries, the value of these signatures is not truly realized due to shortcomings in public key infrastructure, developer tooling, and no extant chain of trust for developers. Sigstore is literally designed to solve this problem with elegance and runtime properties that are especially appealing in common Java development and CI environments.
We have every intent to adopt Sigstore as part of the Maven Central platform, and we are in the process of considering the dimensions of our participation with OpenSSF to further support activities around software development and security.
Our Roadmap for Central
While we are gearing up for the implementation of Sigstore, there are a few other important milestones that will precede this work. Through the feedback we've received over the past few years, we recognize that the workflows for publishers to manage their components, and the metadata around them, were similar to what the typical consumer wants about components… just in read-only mode.
So we're starting with those common, read-only capabilities as the first milestone in our work - the delivery of this UI and set of services will provide scaffolding for future work around publisher services, identity management, and streamlined publishing API.
We can't wait to share our work with you as soon as possible, on the order of weeks to months. In the meantime, some screenshots of what's coming:
Tags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.