gnodet commented on PR #214: URL: https://github.com/apache/maven-artifact-plugin/pull/214#issuecomment-4587812104
The key is already uploaded to public keyservers (both keys.openpgp.org and keyserver.ubuntu.com). The artifact `plexus-utils:4.0.3` was signed with my EdDSA subkey `0x0181A4828FA27B6BE6F1F5A68611CD28F472E006` (created 2024-07-19), which is a subkey of my primary key `0xEA23DB1360D9029481E7F2EFECDFEA3CB4493B94`. The trusted keys list for `org.codehaus.plexus` currently includes my other EdDSA subkey `0x073F7A9345756F3B40CDB99E6C70A3B7599C5736` (created 2022-12-12), but not the primary key `0xEA23DB1360D9029481E7F2EFECDFEA3CB4493B94` which is what the verification reports. The fix is to add `0xEA23DB1360D9029481E7F2EFECDFEA3CB4493B94` to the trusted keys for `org.codehaus.plexus` in the `pgp-keys-map.list`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
