interesting: need to more details to understand each case For example, I don't understand what "invalid armor" means
on the SHA1 for some certificates, remember that by design, this file contains old certificates from 20 years ago then not really a problem if there are old certificates here, needed to check old signatures but for sure, must be rejected for a any new release On 2026/07/04 19:49:25 Tamás Cservenák wrote: > Howdy, > > Doing that should not be a problem, I was toying today with BC but > could not get it to parse our KEYS file. > In fact, any Java code (that is based/using BC) is making the same > error. Here is sqv compared to pgpainless: > > "invalid armor" > > https://gist.github.com/cstamas/c7556c5f57f4dbd2a14756a1cc60b30e > > We may want to fix up (clean up) our KEYS files: > https://gist.github.com/cstamas/72076d48aa9fcdbfa91dee11ce0e185e > > T > > On Sat, 4 Jul 2026 at 17:40, Sylwester Lachiewicz <[email protected]> > wrote: > > > > yes, my bad, thanks for correction > > > > https://github.com/s4u/pgpverify-maven-plugin > > > > Features > > - check signature of artifacts during each build, not only during > > artifact download from the remote repository to local > > - possibility to map PGP key fingerprint to artifacts, so we can > > detect if correct key was used for making signature > > - possibility to check signature of maven plugins used during build > > - there is no external software need to install - plugin uses Bouncy > > Castle library to manage PGP operations > > - works on many operating system and JDK versions - confirmed by CI > > builds - Linux, Windows, Mac OS, JDK 8, 11, 14 > > > > On Sat, Jul 4, 2026 at 5:16 PM Piotr Żygieło <[email protected]> > > wrote: > > > > > > On Sat, 4 Jul 2026 at 16:23, Sylwester Lachiewicz <[email protected]> > > > wrote: > > > > > > > > To check we may use maven-gpg-plugin to check if gpg sign key was known > > > > to > > > > us before and plugin goes though all dependencies. > > > > > > I don't think maven-gpg-plugin can do that. > > > Did you mean org.simplify4u.plugins:pgpverify-maven-plugin? > > > > > > -- > > > Piotrek > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
