This is a follow-up to issue gh-20182.

Could Spring please publish the public PGP keys used to create artifact signatures so that they are available via https download from an official Spring site?

That way users have a way to reliably verify the authenticity of downloaded artifacts.