Publish signing key fingerprint

[philsmart]

Hello

Do you publish the fingerprints of your signing keys somewhere?

We [1] need to be able to do independent verification that the certificate and key we're verifying against for cose-java 1.1.0 from Maven Central [2] is indeed the one you intend so that we don't find ourselves incorrectly verifying against a key that isn't yours. It was signed using RSA key 6883 5987 BC02 D9EB FE06  6C91 EF7F 5B8F 3420 BCE4.

[1] https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/3269918721/Supply+Chain+Defence+for+the+Shibboleth+Java+Products
[2] https://mvnrepository.com/artifact/com.augustcellars.cose/cose-java/1.1.0

[philsmart]

You could put the key into the README for this repo (unless it is already listed somewhere else).