I'm adding JAR signature verification to the ant repository task. this is not how we can do security on the main repository, but something third parties may want. And it starts me off on learning about the relevant APIs.
Its been mentioned that Apache has a certficiate now. Can somebody post the public cert so I can see if it works with the Java security infrastructure? -steve