Publish a KEYS file for signature verification #2498
Description
Describe the issue
There are four required files for uploading to maven central: artifact, .sha1, .md5 and .asc.
E.g.:
- https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.4/postgresql-42.3.4.jar
- https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.4/postgresql-42.3.4.jar.asc
- https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.4/postgresql-42.3.4.jar.md5
- https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.4/postgresql-42.3.4.jar.sha1
How, how do I verify the signature?
Maven and Mojohaus will provide a KEYS file for this very reason:
- https://downloads.apache.org/maven/KEYS
- http://mojohaus.org/KEYS
Driver Version?
Any
Java Version?
n/a
OS Version?
n/a
PostgreSQL Version?
any, n/a
To Reproduce
Download .jar and .jar.asc and try to verify it using GnuPG.
+ gpg --homedir $HOME/git/wlp_liberty/.gnupg --verify $HOME/git/wlp_liberty/build/linux-x64-base/wlp/usr/shared/resources/postgresql/postgresql-42.3.4/postgresql-42.3.4.jar.asc $HOME/git/wlp_liberty/build/linux-x64-base/wlp/usr/shared/resources/postgresql/postgresql-42.3.4/postgresql-42.3.4.jar
gpg: Signature made Fri Apr 15 20:01:21 2022 CEST
gpg: using RSA key 0x307A96FBA0292109
gpg: Can't check signature: No public key
+ echo '[ERROR] gpg: no public key or signature invalid for file $HOME/git/wlp_liberty/build/linux-x64-base/wlp/usr/shared/resources/postgresql/postgresql-42.3.4/postgresql-42.3.4.jar.'
[ERROR] gpg: no public key or signature invalid for file $HOME/git/wlp_liberty/build/linux-x64-base/wlp/usr/shared/resources/postgresql/postgresql-42.3.4/postgresql-42.3.4.jar.
+ exit 1
Clearly, I need to import the signing keys first. This is why such a KEYS file is handy.
Expected behaviour
PostgreSQL provides a KEYS file or other means (like a list of fingerprints) on their trusted domain (https://jdbc.postgresql.org/).
Logs
n/a