Support for failing the build in the event signing failed

[djspiewak]

One of the things I really like about publishSigned is I know the published artifacts are signed when it completes, without reading for warnings. I would very much prefer to use sbt-gpg in that mode of operation. There are no circumstances where I want publish to complete successfully without signing. None. I could see an argument for publishLocal, but not publish. To that end, I would like there to be a setting which changes the default behavior from warn-on-failure to fail-on-failure, to ensure that signing is enforced.

[jodersky]

Originally, I wanted a soft failure mode to stay out of the way of developers who do not have gpg setup locally. IMO security tools need sane defaults and should be easy to use, otherwise people will not use them at all. That being said, I think you make a very compelling argument on the difference between the publish and publishLocal tasks. I would suggest we make fail-on-failure the default behavior for publish, and keep warn-on-failure for publishLocal.

[djspiewak]

I would suggest we make fail-on-failure the default behavior for publish, and keep warn-on-failure for publishLocal.

@jodersky I'm 100% in agreement. I still like the idea of both being configurable but the defaults you describe would be the ones I would use on all my projects, public and private.

[jodersky]

Sure, it should be configurable. I was just thinking about defaults.