We announce that The first version 2020.08
of pgp-keys-map has been released.
Now we can verify PGP signature of downloaded artifact, connected with proper key which was used for signature. So we have sure - we used correct unchanged artifact.
To use this map you should configure your project to execute pgpverify-maven-plugin with pgp-keys-map
One more benefit which you have using our tools is checking signature of artifacts during each build, not only during artifact download from the remote repository to local.
We need help of any other people (the more the better) to build credible keys map, so your contribution is welcome.
Tags: maven central pgp verify signature security release-note