Make maintainers' public keys visible
List the public keys that are used to sign Gerrit release
artifacts that are deployed to Maven Central. This will allow
users to be more confident that the signatures are valid.
In this commit I only add my own key. Other maintainers can
add theirs in follow-up commits.
Change-Id: I50359005d6d09857661c1433475b5958830764a2
diff --git a/releases/README.md b/releases/README.md
index cc10333..bc91b5c 100644
--- a/releases/README.md
+++ b/releases/README.md
@@ -4,7 +4,10 @@
[download site](https://gerrit-releases.storage.googleapis.com/index.html)
(.war files only) or from
[Maven Central](http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22com.google.gerrit%22)
-(version 2.9 and later).
+(.war files and API artifacts, version 2.9 and later).
+
+Artifacts deployed to Maven Central are signed with the maintainer's key.
+Please refer to the [list of maintainers' keys](public-keys.md).
Latest release: **[2.14.1](/releases/2.14.md)**.
diff --git a/releases/public-keys.md b/releases/public-keys.md
new file mode 100644
index 0000000..b9f8fcc
--- /dev/null
+++ b/releases/public-keys.md
@@ -0,0 +1,8 @@
+# Gerrit Code Review - Public Keys
+
+The following public keys are used to sign release artifacts that
+are deployed to Maven Central:
+
+| Name | Email Address | Fingerprint |
+|------------------|------------------------|----------------------------------------------------|
+| David Pursehouse | dpursehouse@collab.net | 0A76 9EB0 5339 B93B DD89 95ED 0C3A F664 9FFC 2102 |
