jcommander

jcommander copied to clipboard

Consumers of this project need to protect themselves against supply chain attacks by being able to check the signatures of the files downloaded from (say) Maven Central against a list of known good keys.

A not-unusual mechanism for this is to put a PGP_KEYS.txt file into either source code repository or the project website. This saves the person signing from getting a stream of emails asking to trust the keys every time they start using a new one.

This is an initial attempt to do the former using keys which are known to have signed jcommander artifacts:

gpg: key AC5EC74981F9CDA6: public key "Cedric Beust [email protected]" imported gpg: key 22E44AC0622B91C3: public key "Cedric Beust [email protected]" imported

Obviously the contents will need to be checked before this PR is accepted.