Skip to content

Add info about which gpg signing keys will be used for published artifacts. #207

Closed
@yogurtearl

Description

@yogurtearl

Add info about which gpg signing keys will be used for published artifacts.

Looks like version 4.12 was published with key D477D51812E692011DB11E66A6EA2E2BF22E0543 ?

For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts
https://docs.couchbase.com/java-sdk/current/project-docs/sdk-release-notes.html#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS

https://github.com/cbeust/jcommander/blob/4b97c3440347bedb79e374408b8f123cf0ff4fd4/SECURITY.md#gpg-signature-validation

These keys can be used with Gradle "Dependency verification"

See example of real world usage here:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions