Add info about which gpg signing keys will be used for published artifacts.

### Add info about which gpg signing keys will be used for published artifacts. 

For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key. 

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts
https://docs.couchbase.com/java-sdk/current/project-docs/sdk-release-notes.html#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS
https://github.com/google/j2objc/blob/e9aa1bfcdc6ce4bad32f7263618892ca44b9cc1b/README.md#artifact-signatures
https://github.com/pgjdbc/pgjdbc/blob/13433a65fb44a07658a1c26174b88a5fa0fd4952/KEYS

https://github.com/cbeust/jcommander/blob/4b97c3440347bedb79e374408b8f123cf0ff4fd4/SECURITY.md#gpg-signature-validation

These keys can be used with [Gradle "Dependency verification" ](https://docs.gradle.org/current/userguide/dependency_verification.html)

See example of real world usage here: 
- https://github.com/androidx/androidx/blob/androidx-main/gradle/verification-keyring.keys
- https://github.com/androidx/androidx/blob/androidx-main/gradle/verification-metadata.xml


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add info about which gpg signing keys will be used for published artifacts. #7689