Posting/verifying signing keys used for artifacts in Maven Central? #359
Comments
|
I'll add a KEYS file with the public key used to sign all recent versions (same key was used for mxparser). |
joehni
added a commit
that referenced
this issue
Mar 23, 2024
|
Much thanks, appreciated! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have an open source project with an indirect (build-time) dependency on the x-stream library and some of its dependencies (e.g. mxparser) and were hoping somebody affiliated with the project would be willing to post the GPG key(s) used to sign released artifacts in Central in your github repository in a KEYS file as a means of closing the trust loop to allow us to verify the signatures on them.
Fairly simple to do and is a nice help to securing the supply chain for Java builds for those like us who verify all of the artifacts that are used in the build.
If I can clarify any of that, please just ask.
The text was updated successfully, but these errors were encountered: