Provide PGP signatures for artifact verification
Asm 6.0...7.2-beta lack *.asc files, so it is hard to verify if the jar files came from a trusted party.
ASM is very very wildly used project, and it would be great if there was a way to tell that the build was produced by a trusted party.
Sample: https://repo.maven.apache.org/maven2/org/ow2/asm/asm/5.2/ ( there are *.asc
files)
https://repo.maven.apache.org/maven2/org/ow2/asm/asm/7.1/ ( .asc
files are missing :( )