Add info about which signing keys will be used for published artifacts.
For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
Add info about which signing keys will be used for published artifacts.
For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt https://downloads.apache.org/commons/KEYS https://downloads.apache.org/logging/KEYS
Looks like
5.1.0was signed with a different key compared to5.0.1Looks like
5.1.0was signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=9579802dc3e15de9c389239fc0d48a119ce7ee7b&fingerprint=on&op=index