[slf4j-user] Signatures for verifying Slf4j

Joakim Erdfelt joakim.erdfelt at gmail.com
Thu Jul 8 17:27:46 CEST 2021 

In light of all of the effort to mitigate and/or track supply chain
vulnerabilities, and the fact that you are currently using pgp, perhaps you
should also sign your git commits?

git config --global user.signingKey <your-long-form-gpg-key>
git config --global commit.gpgSign true

https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/signing-commits


- Joakim

On Thu, Jul 8, 2021 at 7:42 AM Ceki <ceki at qos.ch> wrote:

>
> Hi Elisha,
>
>
> All SLF4J artifacts published on Maven central are signed. For each
> artifact, there is an associated signature file with the
> ".asc" suffix.
>
> To verify the signature use the key found at
>
> www.slf4j.org/public-keys/ceki-public-key.pgp. It has the
> following fingerprint:
>
> pub   2048R/A511E325 2012-04-26
> Key fingerprint = 475F 3B8E 59E6 E63A A780  6748 2C7B 12F2 A511 E325
> uid   Ceki Gulcu <ceki at qos.ch>
> sub   2048R/7FBFA159 2012-04-26
>
> See gnupg documentation on how to verify signatures.
>
> Best regards,
>
> --
> Ceki Gülcü
>
> On 07.05.2010 09:26, Elisha Ebenezer wrote:
> > Hi Ceki,
> > I'm trying to push to use Slf4j and logback in our project and my
> > company wants me to get the MD5 or SHA1 hashes or the code-signing certs
> > to verify the integrity of downloaded files.
> >
> > Though repo1.maven.org <http://repo1.maven.org> site provides the
> > hashes, we are not sure whether the war and the hash are uploaded by
> > genuine party or not.
> >
> > As you are the owner of the project, I request you to kindly publish the
> > hashes or certs on website's download page.. which can be cross-checked
> > with the downloaded war and/or also with the maven repository.
> >
> > Kindly do the needful and oblige.
> >
> > Thanks,
> > Elisha Ebenezer.
>
>
> _______________________________________________
> slf4j-user mailing list
> slf4j-user at qos.ch
> http://mailman.qos.ch/mailman/listinfo/slf4j-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qos.ch/pipermail/slf4j-user/attachments/20210708/f925fe13/attachment.html>

More information about the slf4j-user mailing list