kwin edited a comment on issue #2: SLING-8029 Retrieve gpg key automatically if it is missing in keyring URL: https://github.com/apache/sling-tooling-release/pull/2#issuecomment-430990437 If I understand correctly, we should trust if the public keys are also listed in https://people.apache.org/keys/group/sling.asc, as that one contains the trusted list of public keys (as those require ASF credentials to add there). For more details see http://sling.apache.org/documentation/development/release-management.html#appendix-a-create-and-add-your-key-to-peopleapacheorg. Is it possible to validate against this list or directly import the public keys from there (as that is a trusted source)?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
