Document which signing keys will be used

The signing key for kotlin SDK 1.2.2 was different than SDK 1.2.1

Please document all the signing keys in use.

For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are “valid” for use when verifying signing artifacts uploaded to maven central.

This allows for “out of band” verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS

1 Like

I’ve created a JIRA ticket for this - Loading...

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.