Signing key location? #13815

henriquevcosta · 2025-05-05T04:43:03Z

henriquevcosta
May 5, 2025

I see that the .asc files being uploaded with releases match a public key with a UID "OpenTelemetry Java" (fpr 3F05 DDA9 F317 301E 9271 36D4 17A2 7CE7 A60F F5F0), but is there anything else validating that this key is really the right one?
I couldn't find documentation on the process to validate integrity and origin of the released binary, so I was just manually trying to import the key and running a gpg --verify.
Is there any better way?

laurit · 2025-05-05T07:21:24Z

laurit
May 5, 2025
Maintainer

but is there anything else validating that this key is really the right one?

as far as I can tell we don't publish the key fingerprint or any other details in this repository cc @trask

so I was just manually trying to import the key and running a gpg --verify.
Is there any better way?

I think using gpg --verify is the correct way. Since this is really about verifying maven signatures you could google something like maven verify signature and see whether anybody suggests something different.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Signing key location? #13815

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Signing key location? #13815

henriquevcosta May 5, 2025

Replies: 1 comment

laurit May 5, 2025 Maintainer

henriquevcosta
May 5, 2025

laurit
May 5, 2025
Maintainer