gotson
commented
10 months ago Up to @xerial since his key is being used in CI.
Closed yogurtearl closed 8 months ago
gotson
commented
10 months ago Up to @xerial since his key is being used in CI.
xerial
commented
10 months ago I think this key (fingerprint) has been used for releasing sqlite-jdbc:
Taro L. Saito (For GitHub Actions) <leo@xerial.org> C1CB A75E C9BD 0BAF 8061 9354 59E0 5CE6 1818 7ED4@yogurtearl did you test the manual verification with the above key ?
yogurtearl
commented
9 months ago yep, that is the key that is being used to sign the latest binaries, would be helpful to put it in the docs, on the website or in the README.
gotson
commented
9 months ago yep, that is the key that is being used to sign the latest binaries, would be helpful to put it in the docs, on the website or in the README.
we would accept a PR in the readme, as we don't have a website.
prubel
commented
8 months ago I ran into the same problem and just added https://github.com/xerial/sqlite-jdbc/pull/1076 with an update for the key.
github-actions[bot]
commented
8 months ago 🎉 This issue has been resolved in 3.45.2.0 (Release Notes)
Add info about which signing keys will be used for published artifacts.
For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt https://downloads.apache.org/commons/KEYS https://downloads.apache.org/logging/KEYS