Add info about which signing keys will be used for published artifacts. - Githubissues

willowtreeapps / assertk

assertions for kotlin inspired by assertj

MIT License

760 stars 85 forks source link

Add info about which signing keys will be used for published artifacts. #473

Open yogurtearl opened 1 year ago

yogurtearl commented 1 year ago

Add info about which signing keys will be used for published artifacts.

For security purposes, it would be great if you were able to publish the gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt https://downloads.apache.org/commons/KEYS https://downloads.apache.org/logging/KEYS

0.25 was signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=576234c01ec3d940352ed2e5e707f8370e7a8b89&fingerprint=on&op=index

Looks like 0.26 was signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=837b2cbb1d966c80643a2d6527f164f945828c4c&fingerprint=on&op=index

Would be good to have this mentioned in the docs and in the release notes.

evant commented 1 year ago

Good idea! Note: the key was rotated because of the circle ci breach