Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Posting/verifying signing keys used for artifacts in Maven Central? #359

Closed
scantor opened this issue Mar 19, 2024 · 2 comments
Closed

Posting/verifying signing keys used for artifacts in Maven Central? #359

scantor opened this issue Mar 19, 2024 · 2 comments
Assignees
Milestone

Comments

@scantor
Copy link

scantor commented Mar 19, 2024

We have an open source project with an indirect (build-time) dependency on the x-stream library and some of its dependencies (e.g. mxparser) and were hoping somebody affiliated with the project would be willing to post the GPG key(s) used to sign released artifacts in Central in your github repository in a KEYS file as a means of closing the trust loop to allow us to verify the signatures on them.

Fairly simple to do and is a nice help to securing the supply chain for Java builds for those like us who verify all of the artifacts that are used in the build.

If I can clarify any of that, please just ask.

@joehni joehni self-assigned this Mar 22, 2024
@joehni joehni added this to the 1.4.x milestone Mar 23, 2024
@joehni
Copy link
Member

joehni commented Mar 23, 2024

I'll add a KEYS file with the public key used to sign all recent versions (same key was used for mxparser).

@scantor
Copy link
Author

scantor commented Mar 25, 2024

Much thanks, appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants