Signatures of Artifacts in Maven Central Reference Unpublished PGP Key

[RyanHoldren]

What version of OpenCensus are you using?

0.31.0

What JVM are you using (java -version)?

It's not really applicable, but we are using...

openjdk version "17.0.2" 2022-01-18 LTS
OpenJDK Runtime Environment Zulu17.32+13-CA (build 17.0.2+8-LTS)
OpenJDK 64-Bit Server VM Zulu17.32+13-CA (build 17.0.2+8-LTS, mixed mode)

What did you do?

We are using dependency verification in Gradle and we ran into an issue. Gradle cannot find your public key on any of the default key servers.

I am looking at the signature of the POM file via gpg -vv and it references a key with an id of AC7A514BC9F9BB70.

What did you expect to see?

I see that your documentation for releasing instructs maintainers to publish their public key, but I manually checked all the common key servers and none of them have AC7A514BC9F9BB70.

It should have been published on at least one (ideally all) of Gradle's default key servers and ideally on your website as well.

In the meantime, it is easy to workaround this issue in Gradle by explicitly ignoring the key.

<ignored-keys>
   <ignored-key id="ac7a514bc9f9bb70" reason="Key couldn't be downloaded from any key server"/>
</ignored-keys>

[punya]

Thanks for flagging this. I was a bit surprised, because I thought I'd uploaded the key and that OSSRH needed to be able to access the key in order to validate the release. In any case, I uploaded the key to keys.openpgp.org (again?) just now, and verified that https://keys.openpgp.org/search?q=AC7A514BC9F9BB70 returns a meaningful result.