yes, my bad, thanks for correction https://github.com/s4u/pgpverify-maven-plugin
Features - check signature of artifacts during each build, not only during artifact download from the remote repository to local - possibility to map PGP key fingerprint to artifacts, so we can detect if correct key was used for making signature - possibility to check signature of maven plugins used during build - there is no external software need to install - plugin uses Bouncy Castle library to manage PGP operations - works on many operating system and JDK versions - confirmed by CI builds - Linux, Windows, Mac OS, JDK 8, 11, 14 On Sat, Jul 4, 2026 at 5:16 PM Piotr Żygieło <[email protected]> wrote: > > On Sat, 4 Jul 2026 at 16:23, Sylwester Lachiewicz <[email protected]> > wrote: > > > > To check we may use maven-gpg-plugin to check if gpg sign key was known to > > us before and plugin goes though all dependencies. > > I don't think maven-gpg-plugin can do that. > Did you mean org.simplify4u.plugins:pgpverify-maven-plugin? > > -- > Piotrek > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
