Please publish the list of the official PGP keys for ASM releases
This request is different from #317878 (closed)
The idea is project page should provide clear steps to verify if the release is official.
I'm afraid I've no standard way of doing that, however it would be nice if you could mention the official PGP key ids in the Download
section at https://asm.ow2.io/
See also https://github.com/spring-projects/spring-framework/issues/23434#issuecomment-523882229
Sample implementation for Apache JMeter: https://jmeter.apache.org/download_jmeter.cgi As you see, it refers KEYS file and links to the page with gpg commands to verify the signatures.
PS. I don't really expect that everybody would start verifying their downloads, however making the official key ID publicly available would help for automated verifications as well.