You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add info about which gpg signing keys will be used for published artifacts.
This is useful for historical artifacts even if this is no longer maintained.
For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
Add info about which gpg signing keys will be used for published artifacts.
This is useful for historical artifacts even if this is no longer maintained.
For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://docs.couchbase.com/java-sdk/current/project-docs/sdk-release-notes.html#verifying-artifacts
https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS
https://github.com/google/j2objc/blob/e9aa1bfcdc6ce4bad32f7263618892ca44b9cc1b/README.md#artifact-signatures
https://github.com/pgjdbc/pgjdbc/blob/13433a65fb44a07658a1c26174b88a5fa0fd4952/KEYS
https://github.com/cbeust/jcommander/blob/4b97c3440347bedb79e374408b8f123cf0ff4fd4/SECURITY.md#gpg-signature-validation
These keys can be used with Gradle "Dependency verification"
See example of real world usage here: