TestNG Version

7.9.0

Expected behavior

As a developer in a project dependent on TestNG, I should be able to verify the PGP signature on TestNG artifacts downloaded from Maven Central.

Actual behavior

Recent TestNG artifacts appear to be signed by this PGP key:

gpg: Signature made Tue Dec 26 09:36:16 2023 GMT
gpg:                using RSA key 0F13D5631D6AF36D
gpg: Good signature from "Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4F5 4D86 22C9 5CC3 F098  721A 0F13 D563 1D6A F36D

This key claims to be associated with a member of the TestNG team, but due diligence in supply chain security requires us to demonstrate this more directly (anyone could create a PGP key claiming to belong to a TestNG team member and upload it to the key servers).

It would really help us out if the list of keys which can sign project artifacts on Maven Central was made available either within the repository itself (commonly as a KEYS file containing ASCII-armoured key exports) or in the documentation (as the same thing, or using full key fingerprints).