Add info about which signing keys will be used for published artifacts

[yogurtearl]

Add info about which signing keys will be used for published artifacts.

For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS

[gotson]

Up to @xerial since his key is being used in CI.

[xerial]

I think this key (fingerprint) has been used for releasing sqlite-jdbc:

Taro L. Saito (For GitHub Actions) <[email protected]> C1CB A75E C9BD 0BAF 8061  9354 59E0 5CE6 1818 7ED4

[gotson]

@yogurtearl did you test the manual verification with the above key ?

[yogurtearl]

yep, that is the key that is being used to sign the latest binaries, would be helpful to put it in the docs, on the website or in the README.

[gotson]

yep, that is the key that is being used to sign the latest binaries, would be helpful to put it in the docs, on the website or in the README.

we would accept a PR in the readme, as we don't have a website.

[prubel]

I ran into the same problem and just added #1076 with an update for the key.

[github-actions]

🎉 This issue has been resolved in 3.45.2.0 (Release Notes)