jcommander
jcommander copied to clipboard
Please document your gpg keys
We use Dependency Verification and currently there is no documentation stating which keys are safe
Could you please document this?
For example,1.81
was signed using dcba03381ef6c89096acd985ac5ec74981f9cda6
But 1.82
was signed is using a 22E44AC0622B91C3
Here are some examples of other projects documenting what key they use to sign their artifacts.
https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents https://square.github.io/okhttp/security/security/#verifying-artifacts https://downloads.apache.org/logging/KEYS