bcgit
Please document OpenPGP key used to sign Maven artifacts
I'm working on a project which imports artifacts from Maven Central, but verifies the signatures against known-good keys.
It look to me as if the OpenPGP key used to sign Bouncy Castle artifacts changed in June 2023, with the 1.74 release.
We've been using Bouncy Castle artifacts prior to 1.74 verified against a grandfathered key:
pub dsa1024 2009-06-11 [SC]
08F0AAB4D0C1A4BDDE340765B341DDB020FCB6AB
uid [ unknown] The Legion of the Bouncy Castle (Maven Repository Artifact Signer) <[email protected]>
sig 3 B341DDB020FCB6AB 2009-06-11 [self-signature]
sub elg2048 2009-06-11 [E]
sig B341DDB020FCB6AB 2009-06-11 [self-signature]
From 1.74, it looks like a different key is being used:
pub rsa3072 2023-06-07 [SC] [expires: 2028-06-05]
7B121B76A7ED6CE6E60AD51784E913A8E3A748C0
uid [ unknown] The Legion of the Bouncy Castle Inc. (Maven Repository Artifact Signer) <[email protected]>
sig 3 84E913A8E3A748C0 2023-06-07 [self-signature]
I haven't been able to find anywhere in the Bouncy Castle project documentation that documents either of these. It would be most appreciated if this information could appear somewhere. In this repository would be one good alternative; alongside the link to Maven Central on the releases page would be another.
I'll find somewhere better for it, but for now:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGR/8HUBDADJ+V5VgTXFG4xVI/1r07a/pTXoAQhHyJMkVdFScGARsps07VXI IsYgPsifOFU55E7uRMZPTLAx5F1uxoZAWGtXIz0d4ISKhobFquH8jZe7TnsJBJNV eo3u7G54iSfLifiJ4q17NvaESBNSirPaAPfEni93+gQvdn3zVnDPfO+mhO00l/fE 5GnqHt/Q2z2WKVQt3Vg0R66phe2XaFnycY/d+an73FiXqhuhm4sXlcA++gfSt1H1 K7+ApqJsX9yw79A1FlGTPOeimqZqE75+OyQ9Kz0XTvN/GmHeEygTrNEnMDTr1BWz P0/ut0UXmktJtJXgLi5wUCncwwi+UpCSwwou7/3r+eBh5aykxSo9OtYe4xPNKWSo EiPZXpCH5Wjq9TpXOuhnZvRFqbR24mWz5+J/DoaVP3pwEhGXxr5VjVc1f8gJ8A34 YYPlxUGcl8f3kykzvl4X5HDIbHb9MAl+9qtwQo1tFA9umD2Da/8bSsxrnZdkkzEA OpJYwT1EkQRZRcUAEQEAAbRmVGhlIExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3Rs ZSBJbmMuIChNYXZlbiBSZXBvc2l0b3J5IEFydGlmYWN0IFNpZ25lcikgPGJjbWF2 ZW5zeW5jQGJvdW5jeWNhc3RsZS5vcmc+iQHUBBMBCgA+FiEEexIbdqftbObmCtUX hOkTqOOnSMAFAmR/8HUCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA CgkQhOkTqOOnSMCTYgv/c9RSHcO056c7G3mH94eTqCMNSzhaiVIMKPgRwro10vpu hOLdRfwkxe9nsa9tDGiv64sqUZADfnPxNP6mSE4la+fucwn5j1KxIicQt11zRO/e Ep2vqBZoq60D9p23foDi4/XGuKtnwYQxyaLrvkFaAUpKYzCr7aU1ftqFfE+lKyYB poQtib1PNqltKs/dX0IHACOeYbZ+j4YZnd6Qsl1XhDtVAYzIW60A3nDwDjOWTNaQ 2W0qX4xrG5XetqnhQj+nwGtkJFXJj7FF1QkIcWiwkAQZTxZk3F0hxlNrZY2rq9BE nbmwMMCk8S/nn9gBeGriom2StkZC+1Bv/w7BS5fWUW9YzJ5803RVkOd+8Taeu2yn XUvPNfvijmRO1doTXl7uE5fXAxFmG0+09W5sLVf0KBtdrQ1jzFUZas5iPQiXDNTF aD3d7kQH7divX3PoZIbq1aaiI2yVI8k5MCYjQPQJbDiBGZumxgkm8J5ooOYVkR9F dETovzOLJ8QqCzo41kBp =gIeQ -----END PGP PUBLIC KEY BLOCK-----
