joehni
commented
8 months ago I'll add a KEYS file with the public key used to sign all recent versions (same key was used for mxparser).
Closed scantor closed 8 months ago
joehni
commented
8 months ago I'll add a KEYS file with the public key used to sign all recent versions (same key was used for mxparser).
scantor
commented
8 months ago Much thanks, appreciated!
We have an open source project with an indirect (build-time) dependency on the x-stream library and some of its dependencies (e.g. mxparser) and were hoping somebody affiliated with the project would be willing to post the GPG key(s) used to sign released artifacts in Central in your github repository in a KEYS file as a means of closing the trust loop to allow us to verify the signatures on them.
Fairly simple to do and is a nice help to securing the supply chain for Java builds for those like us who verify all of the artifacts that are used in the build.
If I can clarify any of that, please just ask.