Please distribute updated key A1AE06236CA2BA62 used to sign Maven Central artifacts · diffplug/spotless · Discussion #2464 (original) (raw)

Thanks for spotting this!
The A1AE 0623 6CA2 BA62 key you’re seeing was intentionally retired.
We’ve moved all future Spotless releases to a brand-new signing key:

Primary fingerprint : 2729 4482 F2D2 F9A3 18CA 041B 1AAA A7AB 3729 3D3E
Signing sub-key ID  : 4272 C851
Created             : 2025-05-27
Expires             : 2030-05-26

You can grab it in any of three ways:

1. Key server

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 1AAAA7AB37293D3E

2. keys.openpgp.org (same fingerprint)

gpg --keyserver hkps://keys.openpgp.org --recv-keys 1AAAA7AB37293D3E

3. Direct file in the repo

curl -sSL
https://raw.githubusercontent.com/diffplug/spotless/main/gradle/pgp-publickey-2025.asc
| gpg --import -

Which releases use which key?

How to verify the new release
We won’t extend or redistribute the old key, so please refresh your keyring or import the new one via the commands above. Let me know if you hit any problems.

You must be logged in to vote

3 replies

I've imported 27294482F2D2F9A318CA041B1AAAA7AB37293D3E successfully.

The A1AE 0623 6CA2 BA62 key you’re seeing was intentionally retired.

Understandable. I was not complaining about key being expired, but about key being used (to sign) AFTER it expired. Which suggests to me, that at the place where it is used its expiration date might have been updated.

We won’t extend or redistribute the old key

Thus signature for com/diffplug/spotless/spotless-maven-plugin/2.44.4/spotless-maven-plugin-2.44.4.jar still is (for me) questionable.

Waiting for new release then and for new key to be used.

Thank you.

Just published a set of new releases with the new key.

Just published a set of new releases with the new key.

Perfect! 🎉

I confirm all is fine on my side.

Thanks!