> can you describe the approach we need to follow in such case ? There are different views on the matter.
There is a view that dependencies should be verified on CI servers only (see https://github.com/ben-manes/caffeine/pull/342#issuecomment-536228799 ) For instance, we could configure the build in such a way that it validates checksums only if it is explicitly configured. Nevertheless, 1) I suggest asking library vendors to publish PGP keys. I have already created a couple of issues, and I tend to copy-paste the same request with slight variations. See https://gitlab.ow2.org/asm/asm/issues/317884 https://github.com/raphw/byte-buddy/issues/721 https://github.com/spring-projects/spring-framework/issues/23434#issuecomment-523882229 https://github.com/junit-team/junit5/issues/2020 https://github.com/hamcrest/JavaHamcrest/issues/274 https://github.com/jacoco/jacoco/issues/937 https://github.com/GPars/GPars/issues/62 https://youtrack.jetbrains.com/issue/KT-33781 and so on. Some of them are already implemented (e.g. JUnit) 2) Sometimes committers sign their commits/tags, and if you treat GitHub as an authoritative source code repository, then it can happen that commit signing key matches the release key. See https://github.com/dnsjava/dnsjava/releases . The release tag is signed with 3449EC3AC2EFE8AA which is the same key you mention. 3) As you said, keybase.io might help to associate different logins/domains with PGP key id. Keybase identity claims are cryptographically verified, so if Keybase shows "the person owns GitHub login and Twitter login", then it means they can indeed post a comment. It might happen you know library author by their Twitter handle, however, Twitter does not allow to publish "PGP key". Keybase might help to relate those ids. However, it is not clear how to document the result of those investigations. For instance, JUnit5 has added a link to the KEYS file. The link is placed at the official site (search https://junit.org/junit5/ for KEYS), and it points to GitHub HTML (!) page. Frankly speaking, I would prefer a plain-text URL for KEYS. I've no idea where we could / should document the analysis of "here's a trace/link for verification of the key in question". We could create a side file (or a wiki page) to document "dependency -- website -- keys link" I'm open to suggestions here. You might have seen there's META files initiative, however, it is ASF-specific. Vladimir
