Document pgp artifact signing keys

CHANGES.txt

@@ -1,4 +1,5 @@
 Current (7.10.0)
+Fixed: GITHUB:3084: Document project's PGP artifact signing keys (Krishnan Mahadevan)
 Fixed: GITHUB:3040: replace the usages of synchronized with ReentrantLock (Krishnan Mahadevan)
 Fixed: GITHUB-3041: TestNG 7.x DataProvider works in opposite to TestNG 6.x when retrying tests. (Krishnan Mahadevan)
 Fixed: GITHUB-3066: How to dynamically adjust the number of TestNG threads after IExecutorFactory is deprecated? (Krishnan Mahadevan)

KEYS

@@ -0,0 +1,37 @@
+pub   rsa2048 2016-12-01 [SC]
+      C4F54D8622C95CC3F098721A0F13D5631D6AF36D
+uid           [ unknown] Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>
+sig 3        0F13D5631D6AF36D 2016-12-01  [self-signature]
+sub   rsa2048 2016-12-01 [E]
+sig          0F13D5631D6AF36D 2016-12-01  [self-signature]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFhAKr0BCACpCBFAMXU7scE/5BmSA3strabxRphlB1g0M63I2zP5ibrzK63c
+mTwz/rWwpeUnBgxe9wVArvvV2NFi4qNUqZVd5luxBIWE1btE8nSKLLuOSbTfOOW0
+mXFBTnUQVDp1IYH8aX0lktbypiMifAio6YwFc35hHe8p+z9J4mzxS8BMutITcyG1
+ze8yUabwo8jkBJzIHZhhcHE0Y+dOAmrHlkE5LKtqGnYLmcP0FZ3WEpp/0DsQ+drE
++APikLWQmqItdESZmp7J/qI1T3jLQ8V6+E8ZCgDfij+HxIl1BDThoDjqPs5paNYv
+9KEtPslLudMS5Ffq3sCBtOYV9L6ee8gkazRPABEBAAG0R0tyaXNobmFuIE1haGFk
+ZXZhbiAoa3JtYWhhZGV2YW4ta2V5KSA8a3Jpc2huYW4ubWFoYWRldmFuMTk3OEBn
+bWFpbC5jb20+iQE5BBMBCAAjBQJYQCq9AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
+HgECF4AACgkQDxPVYx1q823Dygf7BpWRvHhevZntcBZ2VAQhnfpsisqHKTDDIxde
+U9SibR6CeVOKRqU1sPZSoZDwVWzpt0FF0fIEojbnvIMNrI4WgOT5xTr265irY33w
+0p8Rjeco3IQSlaoZSGs/dw118TrwhCEcvBfiv7L5tETB1WlAF2SLxEbqP2wK2hTj
+F4zE0SSmzztJaEJvVncw7EfFzHpLtRCAwoWmZqNnadQeeq6c52EnVOlqxzld8aO/
+v8mOMvgfZvwvylKauPZN/mseXOQeVBJg0OF9gUlXhTK2nM0jUSNQvAp/MJ4IjV0P
+GwHJi+YINJYMTU0pjkjBdThnFqD6waqeDUZJG/0CceLUlJdUEbkBDQRYQCq9AQgA
+oQ0sIv/pfLE58MWBEOM0975BXnLTTzgbvbpY4AG9ZBecs2p2lFQ5VxwS6LO1LPPw
+lZ829ry8k+6D1TQtxC31m1cJNUgTNHRR7Cc+qQTdWA7bHjJgZYrQBZbC62AM7q69
+fu9fwVuVK65UzTLDWwAZ32mQXIwBa1RB/lz9pOWJJEr663yqh1IczY0FYKPyOjAf
+YQ9RNFDcIRPEjP7TGd+tJIwDQHeimbSNAh6X4RY625vKKTxw0tJzXSXs2XisTYHj
+iwENDHR/RNKJiW/VqEtwHGmwe60XJDX5GiW4Dp0Owk8LCG7m5ERx+OypBuoJ+VUt
+qJlRyQ/Xi2DKO+dwqrVSawARAQABiQEfBBgBCAAJBQJYQCq9AhsMAAoJEA8T1WMd
+avNtePEIAI/ncSquvPBOxPS7naiCShtTVxzC8MmwsqLmnx4lFGxy0ElSOwlWX6g7
+2/KnIhXrMcpbbTtruv3DKNmh3br3nmFg7y2Rt+u+GLbY3Ms8BHQU7esPt4Hey4iH
+/C/3F3KPV6gt9Mx2d4VQKSoinkavK77H7DRBtDMTyYpoqSS7wYLDQsJ0kPSCDupU
+QXsc2cNyd0Pb89xfXqEE0ntrB63eThT5+loFm/eaP0mTdzLn+gQ/VruuPibxEoXL
+0gK3z75V8muX20TJXhc4F3tGCkVZ8nDgnrbwj0e9FsqLfthYIDxjyc+JVU1ip5E/
+3GB9FoYfKJ5nm4+32uWtSw+9cZWh4Bc=
+=mMe+
+-----END PGP PUBLIC KEY BLOCK-----

README.md

@@ -53,3 +53,92 @@ Refer our [Contributing](.github/CONTRIBUTING.md) section for detailed set of st
 
   If your pull request involves fixing SonarQube issues then we would suggest that you please discuss this with the 
   [TestNG-dev](https://groups.google.com/forum/#!forum/testng-dev) before you spend time working on it.
+
+### GPG Keys
+
+#### Getting the keys
+
+Download the keys as shown below:
+
+```bash
+gpg --keyserver keyserver.ubuntu.com --recv-keys 0F13D5631D6AF36D
+gpg: key 0F13D5631D6AF36D: "Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>" not changed
+gpg: Total number processed: 1
+gpg:              unchanged: 1
+```
+
+#### Trusting the keys
+
+Trust the keys as shown below:
+
+```bash
+gpg --edit-key 0F13D5631D6AF36D
+gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Secret key is available.
+
+sec  rsa2048/0F13D5631D6AF36D
+     created: 2016-12-01  expires: never       usage: SC
+     trust: full          validity: unknown
+ssb  rsa2048/7295B61CC8DD9AE8
+     created: 2016-12-01  expires: never       usage: E
+[ unknown] (1). Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>
+
+gpg> trust
+sec  rsa2048/0F13D5631D6AF36D
+     created: 2016-12-01  expires: never       usage: SC
+     trust: full          validity: unknown
+ssb  rsa2048/7295B61CC8DD9AE8
+     created: 2016-12-01  expires: never       usage: E
+[ unknown] (1). Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>
+
+Please decide how far you trust this user to correctly verify other users' keys
+(by looking at passports, checking fingerprints from different sources, etc.)
+
+  1 = I don't know or won't say
+  2 = I do NOT trust
+  3 = I trust marginally
+  4 = I trust fully
+  5 = I trust ultimately
+  m = back to the main menu
+
+Your decision? 5
+Do you really want to set this key to ultimate trust? (y/N) y
+
+sec  rsa2048/0F13D5631D6AF36D
+     created: 2016-12-01  expires: never       usage: SC
+     trust: ultimate      validity: unknown
+ssb  rsa2048/7295B61CC8DD9AE8
+     created: 2016-12-01  expires: never       usage: E
+[ unknown] (1). Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>
+Please note that the shown key validity is not necessarily correct
+unless you restart the program.
+
+gpg> exit
+
+Invalid command  (try "help")
+
+gpg> quit
+```
+
+#### Verifying the signature
+
+1. Download the `.asc` file from `https://repo1.maven.org/maven2/org/testng/testng/<versionGoesHere>`
+2. Run the command `gpg --verify testng-<versionGoesHere>.jar.asc testng-<versionGoesHere>.jar`
+3. You should see an output as below:
+
+```bash
+gpg: Signature made Tue Dec 26 15:06:16 2023 IST
+gpg:                using RSA key 0F13D5631D6AF36D
+gpg: checking the trustdb
+gpg: marginals needed: 3  completes needed: 1  trust model: pgp
+gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+gpg: Good signature from "Krishnan Mahadevan (krmahadevan-key) <krishnan.mahadevan1978@gmail.com>" [ultimate]
+```
+
+For more details regarding keys please refer:
+
+* [Verifying Signature](https://infra.apache.org/release-signing.html#verifying-signature)
+* [How to Trust Imported GPG Keys](https://classroom.anir0y.in/post/blog-how-to-trust-imported-gpg-keys/)