Expired key used to sign Maven Central artifacts

[pzygielo]

B1A1B3D106026B24DB420C20B4ECB0FED22FCF24

pub   rsa2048 2013-07-18 [SC] [expired: 2017-07-17]
      B1A1B3D106026B24DB420C20B4ECB0FED22FCF24
uid           [ expired] Robin Bygrave <robin.bygrave@gmail.com>
sub   rsa2048 2013-07-18 [E] [expired: 2017-07-17]

gpg: Signature made Tue 21 Oct 2025 22:31:10 CEST
gpg:                using RSA key B1A1B3D106026B24DB420C20B4ECB0FED22FCF24
gpg: Good signature from "Robin Bygrave <robin.bygrave@gmail.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: B1A1 B3D1 0602 6B24 DB42  0C20 B4EC B0FE D22F CF24

Couldn't find newer in none of hkps://pgp.surfnet.nl hkps://keyserver.ubuntu.com hkps://keys.openpgp.org hkps://pgpkeys.eu.

Please distribute updated key.

[SentryMan]

@rbygrave is this resolved or something?

[mechite]

@SentryMan

$ gpg --verify avaje-inject-12.1-RC3.jar.asc
gpg: assuming signed data in 'avaje-inject-12.1-RC3.jar'
gpg: Signature made 11/21/25 16:26:39 GMT Standard Time
gpg:                using EDDSA key 37528B4614291BC22663FDC76A807F9FEAC23E67
gpg: Can't check signature: No public key

$ gpg --keyserver keyserver.ubuntu.com --recv-keys 6A807F9FEAC23E67
gpg: key 6A807F9FEAC23E67: public key "Josiah Noel <josiahnoel@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify avaje-inject-12.1-RC3.jar.asc
gpg: assuming signed data in 'avaje-inject-12.1-RC3.jar'
gpg: Signature made 11/21/25 16:26:39 GMT Standard Time
gpg:                using EDDSA key 37528B4614291BC22663FDC76A807F9FEAC23E67
gpg: Good signature from "Josiah Noel <josiahnoel@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3752 8B46 1429 1BC2 2663  FDC7 6A80 7F9F EAC2 3E67

Looks OK to me.

[pzygielo]

@mechite, @SentryMan Please reopen or re-close as not planned, not as completed.

What you have shown is for

• 37528B4614291BC22663FDC76A807F9FEAC23E67: Josiah Noel josiahnoel@gmail.com

while I'm asking for

• B1A1B3D106026B24DB420C20B4ECB0FED22FCF24: Robin Bygrave robin.bygrave@gmail.com (used for 12.0, still the latest release).

[mechite]

Right, looking at the old release candidates it looks like Rob's signature was
being used as well, so perhaps open this one until a final release is made