Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Posting artifact signing key(s) in repository #217

Open
scantor opened this issue Mar 25, 2024 · 0 comments
Open

Posting artifact signing key(s) in repository #217

scantor opened this issue Mar 25, 2024 · 0 comments

Comments

@scantor
Copy link

scantor commented Mar 25, 2024

My project has an indirect build dependency on something that uses JDOM, and we do signature trust verification of all the artifacts used in our builds. We were hoping the committer(s) on this project might be willing to commit a KEYS file containing the PGP keys used to sign artifacts that end up in Maven Central as a means of verifying the keys are the right ones, as Central doesn't do any such checking.

It's a simple step, but has a lot of security benefit.

Thanks for your consideration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant