Is it possible to implement a verification system that garantees that the pgp-signatures (*.asc files) are still correct and that the pgp-signer is still the same?
The current implementation of gradle-witness verifies that the checksum of the lib is correct.
As a developer every time i whish to use a new lib version i have to update the checksum, too.
With the pinned-pgp-signer verification i can declare trust in the signer. there is no need to update the signature in the gralde file when there are version updates. update is only neccessary if the pgp-signer changes
Is it possible to implement a verification system that garantees that the pgp-signatures (*.asc files) are still correct and that the pgp-signer is still the same?
The current implementation of gradle-witness verifies that the checksum of the lib is correct.
As a developer every time i whish to use a new lib version i have to update the checksum, too.
With the pinned-pgp-signer verification i can declare trust in the signer. there is no need to update the signature in the gralde file when there are version updates. update is only neccessary if the pgp-signer changes