Posting artifact signing key(s) in repository #217
Description
My project has an indirect build dependency on something that uses JDOM, and we do signature trust verification of all the artifacts used in our builds. We were hoping the committer(s) on this project might be willing to commit a KEYS file containing the PGP keys used to sign artifacts that end up in Maven Central as a means of verifying the keys are the right ones, as Central doesn't do any such checking.
It's a simple step, but has a lot of security benefit.
Thanks for your consideration.