great, eager to see the update in our current KEYS file
= https://github.com/apache/maven-parent/blob/master/KEYS

and see the update later in svn:dist
so dist-tool is green again on this file
https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-dist-tool/job/master/site/dist-tool-check-pgp-keys.html


final thought: in the (near?) future, this file will be managed by ATR
so no human edit any more that introduces formatting issues
(and no Git to svn process)

On 2026/07/05 10:20:55 Tamás Cservenák wrote:
> More on progress, I have a working example that using the artifact
> (from central), the asc file (from central) and KEYS from ASF Maven
> site verifies signature just fine:
> 
> ```
> signature verified.
> Tamas Cservenak <[email protected]>
> ```
> 
> The problem is that our KEYS file as is needs cleanup before being usable:
> * the test at its beginning must be filtered out
> * the encoding is totally off (is not ASCII nor UTF-8)
> 
> Once these cleanups are done, the file becomes usable.
> 
> T
> 
> On Sat, 4 Jul 2026 at 21:49, Tamás Cservenák <[email protected]> wrote:
> >
> > Howdy,
> >
> > Doing that should not be a problem, I was toying today with BC but
> > could not get it to parse our KEYS file.
> > In fact, any Java code (that is based/using BC) is making the same
> > error. Here is sqv compared to pgpainless:
> >
> > "invalid armor"
> >
> > https://gist.github.com/cstamas/c7556c5f57f4dbd2a14756a1cc60b30e
> >
> > We may want to fix up (clean up) our KEYS files:
> > https://gist.github.com/cstamas/72076d48aa9fcdbfa91dee11ce0e185e
> >
> > T
> >
> > On Sat, 4 Jul 2026 at 17:40, Sylwester Lachiewicz <[email protected]> 
> > wrote:
> > >
> > > yes, my bad, thanks for correction
> > >
> > > https://github.com/s4u/pgpverify-maven-plugin
> > >
> > > Features
> > > - check signature of artifacts during each build, not only during
> > > artifact download from the remote repository to local
> > > - possibility to map PGP key fingerprint to artifacts, so we can
> > > detect if correct key was used for making signature
> > > - possibility to check signature of maven plugins used during build
> > > - there is no external software need to install - plugin uses Bouncy
> > > Castle library to manage PGP operations
> > > - works on many operating system and JDK versions - confirmed by CI
> > > builds - Linux, Windows, Mac OS, JDK 8, 11, 14
> > >
> > > On Sat, Jul 4, 2026 at 5:16 PM Piotr Żygieło <[email protected]> 
> > > wrote:
> > > >
> > > > On Sat, 4 Jul 2026 at 16:23, Sylwester Lachiewicz 
> > > > <[email protected]> wrote:
> > > > >
> > > > > To check we may use maven-gpg-plugin to check if gpg sign key was 
> > > > > known to
> > > > > us before and plugin goes though all dependencies.
> > > >
> > > > I don't think maven-gpg-plugin can do that.
> > > > Did you mean org.simplify4u.plugins:pgpverify-maven-plugin?
> > > >
> > > > --
> > > > Piotrek
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: [email protected]
> > > > For additional commands, e-mail: [email protected]
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [email protected]
> > > For additional commands, e-mail: [email protected]
> > >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to