Spring Plugin PGP Signature cannot be verified

[fabianfrz]

Hi,

I think, the artifact on maven central cannot be verified as the public GPG key is revoked.

Error message while running the plugin to verify the signatures (truncated stacktrace):

Caused by: org.bouncycastle.openpgp.PGPException: org.bouncycastle.openpgp.PGPSignatureList found where PGPPublicKeyRing expected
    at org.bouncycastle.openpgp.PGPPublicKeyRingCollection.<init> (Unknown Source)
    at org.simplify4u.plugins.pgp.PublicKeyUtils.loadPublicKeyRing (PublicKeyUtils.java:144)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.loadKeyFromFile (PGPKeysCache.java:230)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.receiveKey (PGPKeysCache.java:275)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$null$2 (PGPKeysCache.java:181)
    at org.simplify4u.plugins.keyserver.PGPKeysCache$KeyServerListOne.execute (PGPKeysCache.java:372)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$getKeyRing$b1186df7$1 (PGPKeysCache.java:181)
    at io.vavr.control.Try.of (Try.java:75)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.getKeyRing (PGPKeysCache.java:181)
    at org.simplify4u.plugins.pgp.SignatureUtils.lambda$checkSignature$91862a76$1 (SignatureUtils.java:304)
    at io.vavr.control.Try.of (Try.java:75)
    at org.simplify4u.plugins.pgp.SignatureUtils.checkSignature (SignatureUtils.java:304)
    at org.simplify4u.plugins.pgp.SignatureUtils.checkSignature (SignatureUtils.java:362)
    at org.simplify4u.plugins.CheckMojo.processArtifactSignature (CheckMojo.java:243)

Maven Command:

cd $CI_PROJECT_DIR/project/dir && mvn org.simplify4u.plugins:pgpverify-maven-plugin:1.17.0:check
        -Dpgpverify.keyserversLoadBalance=false
        -Dpgpverify.keyserver=https://keyserver.ubuntu.com
        -Dpgpverify.keysMapLocation=`pwd`/../../.mvn/keysmap.properties

If I look up the key, it seems to be revoked:

https://keyserver.ubuntu.com/pks/lookup?search=0x9A2C7A98E457C53D&fingerprint=on&op=index