Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing key is not published #75

Open
fabianfrz opened this issue Jun 17, 2021 · 3 comments
Open

Signing key is not published #75

fabianfrz opened this issue Jun 17, 2021 · 3 comments

Comments

@fabianfrz
Copy link

fabianfrz commented Jun 17, 2021
edited
Loading

The signing key for this project is not published on the GPG servers, which makes it impossible to verify the signatures of the jar files on maven central.

Can you please upload your public key to any public key servers or if not possible at least to the repository?

A call like this should retrieve your public key to verify the artifact:

https://pgp.mit.edu/pks/lookup?op=get&options=mr&search=0x1D0690E353BE126D
@UrielCh
Copy link
Contributor

UrielCh commented Jun 22, 2021

I have just published it using http://pgp.mit.edu/. I'm not shure that it works.

@fabianfrz
Copy link
Author

@UrielCh As soon as you publish it, the keyservers will sync each other and every client should be able to pull that key.
With that key, the sig file can be checked.

@fabianfrz
Copy link
Author

looks like the key is not yet there. the MIT one seems to be down, but it should be on Ubuntu as well:

https://keyserver.ubuntu.com/pks/lookup?search=0x1D0690E353BE126D&fingerprint=on&op=index

If you want to publish a key, it can be usually done directly from gpg tooling itself or you can post it in ASCII armoured format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fabianfrz @UrielCh