Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for posting of Maven signing key(s) #997

Open
scantor opened this issue Feb 16, 2024 · 1 comment
Open

Request for posting of Maven signing key(s) #997

scantor opened this issue Feb 16, 2024 · 1 comment
Labels
needs triage

Comments

@scantor
Copy link

scantor commented Feb 16, 2024

Hi,

In considering the use of Thymeleaf, my project has to be able to verify the GPG signatures on all the artifacts we use from Maven Central, which has no adequate security safeguards. I see the expected identity in the signing key used, but need to independently verify that key, so I was hoping the project might consider posting a PGP_KEYS file in the repository with the key(s) that may be encountered in verifying the artifacts produced.

That may be just Daniel Fernandez' key (839323A4780D5BF9A6978970152888E10EF880B3), or might be more extensive.

I have to chase down all the dependencies as well, but am starting with the top level.

Thanks for your attention!
@scantor
Copy link
Author

scantor commented Feb 16, 2024
edited

It appears attoparser and unbescape are signed by the same person, so I'd include those projects in this request to avoid filing a duplicate issue but can if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scantor