This security theater around supply chain security is getting ridiculous.
What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.
As package maintainer you are required to sign the packages with a PGP key. Maven Central also requires that you upload that PGP key (the public part only of course) to one of a few well-known key servers.
What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.