The latest release of jackson artifact is signed by pgp key which is strange for me, because doesn't have uid in key.
https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 Please confirm that this key belong to someone how has privilege to release new version of project It is difficult to verify signature, eg: gpg --recv-keys 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 gpg: key 8D7F1BEC1E2ECAE7: no user ID gpg: Total number processed: 1 gpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar.asc gpg: assuming signed data in '...m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.2/jackson-databind-2.11.2.jar' gpg: Signature made Sun Aug 2 20:36:50 2020 CEST gpg: using RSA key 8A10792983023D5D14C93B488D7F1BEC1E2ECAE7 gpg: Can't check signature: No public key *************************************** Another case: jackson-databind-2.11.0.jar - has bad signature ... it can looks like someone change content of jackson-databind-2.11.0.jar gpg --verify ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar.asc gpg: assuming signed data in '..m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar' gpg: Signature made Sun Apr 26 02:16:05 2020 CEST gpg: using RSA key 6214760097DC5CFAD0175AC2C9FBAA83A8753994 gpg: BAD signature from "Tatu Saloranta (cowtowncoder) <[email protected]>" [expired] -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/235c792d-227f-41f8-82cd-7a6d7b713418n%40googlegroups.com.
