Add info about which signing keys will be used for published artifacts. #473
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Add info about which signing keys will be used for published artifacts.
For security purposes, it would be great if you were able to publish the gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS
0.25 was signed with this key:
https://keyserver.ubuntu.com/pks/lookup?search=576234c01ec3d940352ed2e5e707f8370e7a8b89&fingerprint=on&op=index
Looks like 0.26 was signed with this key:
https://keyserver.ubuntu.com/pks/lookup?search=837b2cbb1d966c80643a2d6527f164f945828c4c&fingerprint=on&op=index
Would be good to have this mentioned in the docs and in the release notes.
The text was updated successfully, but these errors were encountered: