yes, my bad, thanks for correction

https://github.com/s4u/pgpverify-maven-plugin

Features
- check signature of artifacts during each build, not only during
artifact download from the remote repository to local
- possibility to map PGP key fingerprint to artifacts, so we can
detect if correct key was used for making signature
- possibility to check signature of maven plugins used during build
- there is no external software need to install - plugin uses Bouncy
Castle library to manage PGP operations
- works on many operating system and JDK versions - confirmed by CI
builds - Linux, Windows, Mac OS, JDK 8, 11, 14

On Sat, Jul 4, 2026 at 5:16 PM Piotr Żygieło <[email protected]> wrote:
>
> On Sat, 4 Jul 2026 at 16:23, Sylwester Lachiewicz <[email protected]> 
> wrote:
> >
> > To check we may use maven-gpg-plugin to check if gpg sign key was known to
> > us before and plugin goes though all dependencies.
>
> I don't think maven-gpg-plugin can do that.
> Did you mean org.simplify4u.plugins:pgpverify-maven-plugin?
>
> --
> Piotrek
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to