Verification of signing keys used for published artifacts #11774
Unanswered
SemedyRabus
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Is there any official documentation about which signing keys (and corresponding fingerprints) are expected to be used for signing Testcontainers Java artifacts?
I could not find this information on testcontainers.org or in the GitHub repository, but having an authoritative list of expected signing keys would make it much easier to verify the authenticity of released artifacts.
For reference, projects such as Apache Commons publish this information via a KEYS file:
https://downloads.apache.org/commons/KEYS
Would it be possible for Testcontainers to provide similar documentation for artifact verification?
Beta Was this translation helpful? Give feedback.
All reactions