PGP vs sigstore: the match at Maven Central
Conference (BEGINNER level)
Room 3
Score 0.59
Score 0.66
Score 0.67
Score 0.68
The match becomes increasingly accurate as the similarity score approaches zero.

Did you ever use PGP to sign libraries published to Maven Central? Did you try to check PGP signatures when downloading dependencies, to make sure you are not affected by a Software Supply Chain issue?

Required PGP keys management is usually not the best experience developers have…

That’s why the sigstore project was introduced recently, promising easy keyless signatures. It started with Docker images signatures, but a lot of effort is put to extend its usage to every package registry, including Maven Central.

Let’s see how sigstore works and how it is expected to improve not only the signing experience, but also the verification process of artifacts at Maven Central.

Hervé Boutemy

Maven Committer since 2007 and PMC member, Apache Software Foundation member since 2011.

I worked on each and every parts of Maven code too improve user experience.