Here’s a new release announcement with full ID’s this time:

The v0.11 tag is signed by Andreas Schildbach’s GPG key (fingerprint E944 AE66 7CF9 60B1 004B C32F CA66 2BE1 8B87 7A60). The commit hash is 410d4547a7dd20745f637313ed54d04d08d28687.

Key: 16vSNFP5Acsa6RBbjEA7QYCCRDRGXRFH4m
Signature: IFXzt4ZdWFEpLrAXRDnQS6ZKJYGmyHDHtyAgeg/2/EaTvg41jSsUQW8rq19evT2UNp+eP0+OWgWM7iDKrTv11DY=

It’s worth noting that this problem crops up in other contexts too. For instance, it’s very common for people to identify PGP keys by a short identifier.

As it happens I do have a PGP key, fingerprint C85A AB0F 7A1C CCA3 2BFC EECC F2E4 861C 9988 816F, and I just signed Andreas’ key with it. However, as I’m not myself well connected in the web of trust, that doesn’t add a whole lot. But now that my key is effectively signed out of band by SwissSign so if people wanted to manually trace a trust path across systems, they could. I am skeptical anyone will :-)

Note that thanks to Gary Rowe, there is a Maven dependency checker plugin that verifies the (full) hashes of library dependencies. It could be better integrated but it provides another backstop.