PGP signature invalid

[ilatypov]

$ mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
[...]
[ERROR] org.springframework.data:spring-data-jpa:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]
[...]
[ERROR] org.springframework.data:spring-data-commons:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]

in WebGoat/WebGoat@8db9ff3

[mp911de]

If you would like us to spend some time helping you to diagnose the problem, please spend some time describing it and, ideally, providing what you expect.

[ilatypov]

Perhaps, an unexpected "sub" key was used automatically when signing.

If you've already distributed your public key, it's better to revoke the sub signing key instead of deleting it, although either way you can make your primary key as the signing key. To revoke a sub key, use the revkey command instead of delkey.

https://central.sonatype.org/publish/requirements/gpg/#delete-a-sub-key

On the other hand, this was a recommendation to a scenario where the developer is still playing with their signatures before publishing the artifact. Since the artifact and its signature are already published, I wonder if it makes sense to somehow make the public part of that other signing key (the "sub" key, perhaps) registered with the PGP servers?

Now I realize that my own idea is futile because the keyId indicated in the JAR uniquely identifies the signing key. The last chance at finding a cause and a remediation is to assume that the keyId's signing key's public part was not published at all. Then it needs publishing. I don't know how the artifact got past Sonatype's upload gating a year ago.

https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons/2.7.1

[mp911de]

Not quite sure I agree. The key has been published to the keyserver quite a while ago. Running the same command yields for me:

[INFO] Receive key: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1
	to /Users/mpaluch/.m2/repository/pgpkeys-cache/EF/6A/EF6AD6684034B0CB67A9B5714406B84C1661DCD1.asc
[INFO] org.springframework.data:spring-data-commons:jar:2.7.1 PGP Signature OK
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]

with a pristine Spring Boot 2.7.1 Maven project and without a configuration of the verifier plugin.

Checking the POM yields the same successful verification.

In any case, artifacts on Maven Central are immutable and the key has been published which renders the ticket non-actionable.