[teacup50]

Yes, we verify signatures at our middleware repository cache.

[pron]

Really? Impressive! Where do you get the public keys? Most projects hosted on Maven Central don't publish them on their website.

[teacup50]

http://blog.sonatype.com/2009/04/nexus-133-introduces-automa...

[pron]

But unless the signers have a public certificate, or publish their public keys on their website (which you need to obtain manually), the signatures on Maven Central can be just as fake as the artifacts.