Request for posting of Maven signing key(s)

[scantor]

We're evaluating the inclusion of a software artifact that depends on the javassist library and due to Maven Central's security issues, we have to obtain independent verification of the signing key(s) used to sign the artifacts there.

It appears the author's key is indeed used there, but we were hoping to be able to have the signing key(s) placed in the project's repository in a PGP_KEYS file or similar mechanism so we can verify/trust the key. This would benefit all users of your software, so hopefully this isn't too big an ask.

Thanks!

[chibash]

OK, so are you asking me to put my public key in this github repository, or on maven?
I'm a novice in this sort of verification.
It would be great if you give me a bit more detailed instructions or pointers.
Thanks!

[scantor]

Hi, thanks for responding.

Sure, there are a lot of ways to do it, but the simplest is just to create a PGP_KEYS file in your projects's git repository (much like the license, notice, etc.) that contains any of the keys people would find when verifying signatures in Maven Central or any other hosted source of a signed artifact.

It's greatly appreciated.