JSON-java icon indicating copy to clipboard operation
JSON-java copied to clipboard
verified publisher icon stleary

Add info about which signing keys will be used for published artifacts.

Open yogurtearl opened this issue 2 years ago • 2 comments

Add info about which signing keys will be used for published artifacts.

Looks like the signing key changed for the 20230618 release.

20230618 appears to be signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=fb35c8d02b4724dada23de0afd116c1969fccff3&fingerprint=on&op=index

For security purposes, it would be great if you were able to publish details (in the project docs) about the gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt https://downloads.apache.org/commons/KEYS https://downloads.apache.org/logging/KEYS

yogurtearl avatar Sep 04 '23 16:09 yogurtearl

Thanks - I was wondering about this too, and the key I noticed for json-20231013.pom seems to match the one you mention in this issue

mathjeff avatar Feb 14 '24 16:02 mathjeff

In progress...

stleary avatar May 18 '25 17:05 stleary