Consumers of this project need to protect themselves against
supply chain attacks by being able to check the signatures
of the files downloaded from (say) Maven Central against
a list of known good keys.
A not-unusual mechanism for this is to put a PGP_KEYS.txt file
into either source code repository or the project website.
This saves the person signing from getting a stream of emails
asking to trust the keys every time they start using a new one.
This is an initial attempt to do the former using keys which are
known to have signed jcommander artifacts:
gpg: key AC5EC74981F9CDA6: public key "Cedric Beust cedric@beust.com" imported
gpg: key 22E44AC0622B91C3: public key "Cedric Beust cedric@beust.com" imported
Obviously the contents will need to be checked before this PR is accepted.
Consumers of this project need to protect themselves against supply chain attacks by being able to check the signatures of the files downloaded from (say) Maven Central against a list of known good keys.
A not-unusual mechanism for this is to put a PGP_KEYS.txt file into either source code repository or the project website. This saves the person signing from getting a stream of emails asking to trust the keys every time they start using a new one.
This is an initial attempt to do the former using keys which are known to have signed jcommander artifacts:
gpg: key AC5EC74981F9CDA6: public key "Cedric Beust cedric@beust.com" imported gpg: key 22E44AC0622B91C3: public key "Cedric Beust cedric@beust.com" imported
Obviously the contents will need to be checked before this PR is accepted.