[teacup50]

http://blog.sonatype.com/2009/04/nexus-133-introduces-automa...

[pron]

But unless the signers have a public certificate, or publish their public keys on their website (which you need to obtain manually), the signatures on Maven Central can be just as fake as the artifacts.