Add info about which signing keys will be used for published artifacts.
Looks like the signing key changed for the 20230618 release.
20230618 appears to be signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=fb35c8d02b4724dada23de0afd116c1969fccff3&fingerprint=on&op=index
For security purposes, it would be great if you were able to publish details (in the project docs) about the gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS
Add info about which signing keys will be used for published artifacts.
Looks like the signing key changed for the 20230618 release.
20230618appears to be signed with this key: https://keyserver.ubuntu.com/pks/lookup?search=fb35c8d02b4724dada23de0afd116c1969fccff3&fingerprint=on&op=indexFor security purposes, it would be great if you were able to publish details (in the project docs) about the gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.
This allows for "out of band" verification of the expected signing key.
Some examples of other libs publishing their signing keys:
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS