Some info was not pasted: what I used:

https://sequoia-pgp.org/

The `sq` and `sqv` are part of their suite.

The pgpainless is this https://gh.pgpainless.org/

The project provides java (kotlin) binaries on Central, and is based
on BouncyCastle.

T

On Sat, 4 Jul 2026 at 21:49, Tamás Cservenák <[email protected]> wrote:
>
> Howdy,
>
> Doing that should not be a problem, I was toying today with BC but
> could not get it to parse our KEYS file.
> In fact, any Java code (that is based/using BC) is making the same
> error. Here is sqv compared to pgpainless:
>
> "invalid armor"
>
> https://gist.github.com/cstamas/c7556c5f57f4dbd2a14756a1cc60b30e
>
> We may want to fix up (clean up) our KEYS files:
> https://gist.github.com/cstamas/72076d48aa9fcdbfa91dee11ce0e185e
>
> T
>
> On Sat, 4 Jul 2026 at 17:40, Sylwester Lachiewicz <[email protected]> 
> wrote:
> >
> > yes, my bad, thanks for correction
> >
> > https://github.com/s4u/pgpverify-maven-plugin
> >
> > Features
> > - check signature of artifacts during each build, not only during
> > artifact download from the remote repository to local
> > - possibility to map PGP key fingerprint to artifacts, so we can
> > detect if correct key was used for making signature
> > - possibility to check signature of maven plugins used during build
> > - there is no external software need to install - plugin uses Bouncy
> > Castle library to manage PGP operations
> > - works on many operating system and JDK versions - confirmed by CI
> > builds - Linux, Windows, Mac OS, JDK 8, 11, 14
> >
> > On Sat, Jul 4, 2026 at 5:16 PM Piotr Żygieło <[email protected]> 
> > wrote:
> > >
> > > On Sat, 4 Jul 2026 at 16:23, Sylwester Lachiewicz <[email protected]> 
> > > wrote:
> > > >
> > > > To check we may use maven-gpg-plugin to check if gpg sign key was known 
> > > > to
> > > > us before and plugin goes though all dependencies.
> > >
> > > I don't think maven-gpg-plugin can do that.
> > > Did you mean org.simplify4u.plugins:pgpverify-maven-plugin?
> > >
> > > --
> > > Piotrek
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [email protected]
> > > For additional commands, e-mail: [email protected]
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to