Yes. See their requirements. No. You have to use the same approved key that’s as...

zokier · on May 21, 2023

I was checking their requirements pages and I didn't see any mention how the keys are associated with anything, that is why I was asking

https://central.sonatype.org/publish/requirements/#sign-file...

https://central.sonatype.org/publish/requirements/gpg/

It only says:

> These identifiers are essential as they will be seen by anyone downloading a software artifact and validating a signature

but nothing about associating the keys with account or anything.

exabrial · on May 21, 2023

You're not associating keys with an account; you're associating keys with a maven namespace. I guess you do have to have an account to post a artifact into a staging repository, but at the end of the day, the keys have to match the namespace and to quote Stone Cold Steve Austin: And thats the bottom line.

So for instance, I now control this maven namespace:

com.github.exabrial

When I created my Sonatype account, I signed up and verified my email. I then had to give them a PGP public key and told them I wanted to control that namespace. Since the namespace was un-occupied, they were like sure np.

Now, whenever I publish artifacts into that maven namespace, they must be signed with that PGP key.

As an example, you can see the associated signature files for all of the artifacts for this release in the repository: https://repo1.maven.org/maven2/com/github/exabrial/logback-o...

repo here: https://github.com/exabrial/logback-openwire-appender if you want to look at the build configuration in the pom.xml