You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have an open source project with an indirect (build-time) dependency on the x-stream library and some of its dependencies (e.g. mxparser) and were hoping somebody affiliated with the project would be willing to post the GPG key(s) used to sign released artifacts in Central in your github repository in a KEYS file as a means of closing the trust loop to allow us to verify the signatures on them.
Fairly simple to do and is a nice help to securing the supply chain for Java builds for those like us who verify all of the artifacts that are used in the build.
If I can clarify any of that, please just ask.
The text was updated successfully, but these errors were encountered:
We have an open source project with an indirect (build-time) dependency on the x-stream library and some of its dependencies (e.g. mxparser) and were hoping somebody affiliated with the project would be willing to post the GPG key(s) used to sign released artifacts in Central in your github repository in a KEYS file as a means of closing the trust loop to allow us to verify the signatures on them.
Fairly simple to do and is a nice help to securing the supply chain for Java builds for those like us who verify all of the artifacts that are used in the build.
If I can clarify any of that, please just ask.
The text was updated successfully, but these errors were encountered: