New release key not mentioned in release notes?

[dsvensson]

When migrating from 1.45.0 to 1.45.1 the release key changed without this being mentioned in the release notes. Is this expected?

    - On artifact slack-api-client-1.45.1.pom (com.slack.api:slack-api-client:1.45.1) in repository 'MavenRepo': 
      Artifact was signed with key '8E05CCB0D18336A9' but it wasn't found in any key server so it couldn't be verified
    - On artifact slack-api-client-kotlin-extension-1.45.1.pom (com.slack.api:slack-api-client-kotlin-extension:1.45.1) in repository 'MavenRepo':
      Artifact was signed with key '8E05CCB0D18336A9' but it wasn't found in any key server so it couldn't be verified
    - On artifact slack-api-model-1.45.1.pom (com.slack.api:slack-api-model:1.45.1) in repository 'MavenRepo': 
      Artifact was signed with key '8E05CCB0D18336A9' but it wasn't found in any key server so it couldn't be verified
    - On artifact slack-api-model-kotlin-extension-1.45.1.pom (com.slack.api:slack-api-model-kotlin-extension:1.45.1) in repository 'MavenRepo': 
      Artifact was signed with key '8E05CCB0D18336A9' but it wasn't found in any key server so it couldn't be verified
    - On artifact slack-sdk-parent-1.45.1.pom (com.slack.api:slack-sdk-parent:1.45.1) in repository 'MavenRepo': 
      Artifact was signed with key '8E05CCB0D18336A9' but it wasn't found in any key server so it couldn't be verified

(I'm saving keys locally, thus the comment about not found on key server)

[seratch]

Hi @dsvensson, thanks for asking the question. Indeed, I used a different GPG key to publish the artifacts to oss.sonatype.org / Maven Central repo, but the key was published at least to keyserver.ubuntu.com. Also, the Maven Central repo successfully accepted the signed artifacts. This means there should not be any issues for artifact users. You can read https://central.sonatype.org/publish/requirements/gpg/ for more details of the publishing operations.

I am not sure what the desired state for you is, but I just published the same key to keys.openpgp.org and pgp.mit.edu as well. Hope this makes things better for you.

[dsvensson]

My desired state would be for the release key to be documented in the release notes when it changes as with other projects, and that it's stable with a reasonable key rotation cycle, other projects change perhaps yearly, or every other year or so. The purpose of the signing is to establish trust as best as possible, and having clear communication inches one step closer to the unreachable full trust.

[seratch]

Thanks for your quick reply. I understand your point. We will consider including the information in future release announcements.

[dsvensson]

It would also be very valuable if the previous release key signed the new release key (and vice versa) so there would be a bridging of trust of the keys on rotation.