JavaHamcrest icon indicating copy to clipboard operation
JavaHamcrest copied to clipboard
verified publisher icon hamcrest

Please publish the list of the official release PGP keys

Open vlsi opened this issue 6 years ago • 0 comments

The idea is project page should provide clear steps to verify if the release is official. I'm afraid I've no standard way of doing that, however, it would be nice if you could mention the official PGP key ids in the Download section.

Note: current hamcrest.org website is not available via HTTPS, so either HTTPS should be enabled first or KEYS file should be published to GitHub repository.

See also https://github.com/spring-projects/spring-framework/issues/23434#issuecomment-523882229

See also https://gitlab.ow2.org/asm/asm/issues/317884

See also https://github.com/junit-team/junit5/issues/2020

Sample implementation for Apache JMeter: https://jmeter.apache.org/download_jmeter.cgi As you see, it refers KEYS file and links to the page with gpg commands to verify the signatures.

PS. I don't really expect that everybody would start verifying their downloads, however making the official key ID publicly available would help for automated verifications as well.

vlsi avatar Sep 28 '19 14:09 vlsi