search

stleary / JSON-java

A reference implementation of a JSON package in Java.
http://stleary.github.io/JSON-java/index.html
Other
4.51k stars 2.56k forks source link

Add info about which signing keys will be used for published artifacts. #767

Open yogurtearl opened 1 year ago

yogurtearl commented 1 year ago

Add info about which signing keys will be used for published artifacts.

Looks like the signing key changed for the 20230618 release.

20230618 appears to be signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=fb35c8d02b4724dada23de0afd116c1969fccff3&fingerprint=on&op=index

For security purposes, it would be great if you were able to publish details (in the project docs) about the gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt https://downloads.apache.org/commons/KEYS https://downloads.apache.org/logging/KEYS

mathjeff commented 7 months ago

Thanks - I was wondering about this too, and the key I noticed for json-20231013.pom seems to match the one you mention in this issue