You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In considering the use of Thymeleaf, my project has to be able to verify the GPG signatures on all the artifacts we use from Maven Central, which has no adequate security safeguards. I see the expected identity in the signing key used, but need to independently verify that key, so I was hoping the project might consider posting a PGP_KEYS file in the repository with the key(s) that may be encountered in verifying the artifacts produced.
That may be just Daniel Fernandez' key (839323A4780D5BF9A6978970152888E10EF880B3), or might be more extensive.
I have to chase down all the dependencies as well, but am starting with the top level.
Thanks for your attention!
The text was updated successfully, but these errors were encountered:
It appears attoparser and unbescape are signed by the same person, so I'd include those projects in this request to avoid filing a duplicate issue but can if desired.
Hi,
In considering the use of Thymeleaf, my project has to be able to verify the GPG signatures on all the artifacts we use from Maven Central, which has no adequate security safeguards. I see the expected identity in the signing key used, but need to independently verify that key, so I was hoping the project might consider posting a PGP_KEYS file in the repository with the key(s) that may be encountered in verifying the artifacts produced.
That may be just Daniel Fernandez' key (839323A4780D5BF9A6978970152888E10EF880B3), or might be more extensive.
I have to chase down all the dependencies as well, but am starting with the top level.
Thanks for your attention!
The text was updated successfully, but these errors were encountered: