Hello there, The documentation provides digital signatures to verify the integrity of downloads, e.g: https://activemq.apache.org/components/classic/download/. I am wondering if you provide any way to establish that the public key fingerprint of the signer does in fact belong to the person under that identity. Running gpg --verify on the example: "gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner."
I found people.apache.org, which has public keys uploaded for some level of confidence, but on that link for apache-activemq-5.17.3-bin.tar.gz, the signer's (jbonofre) public key is not on people.apache.org. Thanks!