Posting/verifying signing keys used for artifacts in Maven Central?

Question

Posting/verifying signing keys used for artifacts in Maven Central?

Closed this issue 6 months ago · 2 comments

We have an open source project with an indirect (build-time) dependency on the x-stream library and some of its dependencies (e.g. mxparser) and were hoping somebody affiliated with the project would be willing to post the GPG key(s) used to sign released artifacts in Central in your github repository in a KEYS file as a means of closing the trust loop to allow us to verify the signatures on them.

Fairly simple to do and is a nice help to securing the supply chain for Java builds for those like us who verify all of the artifacts that are used in the build.

If I can clarify any of that, please just ask.

Answer 1 · 2024-03-23T00:06:34.000Z

I'll add a KEYS file with the public key used to sign all recent versions (same key was used for mxparser).

Answer 2 · 2024-03-25T12:45:27.000Z

Much thanks, appreciated!