Closed silnith closed 2 years ago
@silnith , what do you think of https://www.sigstore.dev/ ?
This issue may be closed. We've submitted a PR to the pgp-keys-map project covering this already. This java-annotations project has published their PGP key, which is sufficient for positive identification: https://github.com/s4u/pgp-keys-map/pull/688
Maven Central requires all published artifacts to be signed using PGP. If a publisher provides their key ID to PGP keys map then end users can use the Verify PGP signatures plugin to validate that the artifact has not been altered or replaced as part of a supply-chain attack.