A lot of things are moving in Maven’s world. In this BoF, we welcome everybody involved with Maven to discuss. It doesn't matter if you're a user, a contributor or a committer, just join us.
Did you ever use PGP to sign libraries published to Maven Central? Did you try to check PGP signatures when downloading dependencies, to make sure you are not affected by a Software Supply Chain issue?
Required PGP keys management is usually not the best experience developers have…
That’s why the sigstore project was introduced recently, promising easy keyless signatures. It started with Docker images signatures, but a lot of effort is put to extend its usage to every package registry, including Maven Central.
Let’s see how sigstore works and how it is expected to improve not only the signing experience, but also the verification process of artifacts at Maven Central.