Document pgp artifact signing keys

Closes #3084

Author: krmahadevan

CHANGES.txt

@@ -1,4 +1,5 @@
 Current (7.10.0)
+Fixed: GITHUB:3084: Document project's PGP artifact signing keys (Krishnan Mahadevan)
 Fixed: GITHUB:3040: replace the usages of synchronized with ReentrantLock (Krishnan Mahadevan)
 Fixed: GITHUB-3041: TestNG 7.x DataProvider works in opposite to TestNG 6.x when retrying tests. (Krishnan Mahadevan)
 Fixed: GITHUB-3066: How to dynamically adjust the number of TestNG threads after IExecutorFactory is deprecated? (Krishnan Mahadevan)

KEYS

@@ -0,0 +1,37 @@
+pub   rsa2048 2016-12-01 [SC]
+      C4F54D8622C95CC3F098721A0F13D5631D6AF36D
+uid           [ unknown] Krishnan Mahadevan (krmahadevan-key) <[email protected]>
+sig 3        0F13D5631D6AF36D 2016-12-01  [self-signature]
+sub   rsa2048 2016-12-01 [E]
+sig          0F13D5631D6AF36D 2016-12-01  [self-signature]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFhAKr0BCACpCBFAMXU7scE/5BmSA3strabxRphlB1g0M63I2zP5ibrzK63c
+mTwz/rWwpeUnBgxe9wVArvvV2NFi4qNUqZVd5luxBIWE1btE8nSKLLuOSbTfOOW0
+mXFBTnUQVDp1IYH8aX0lktbypiMifAio6YwFc35hHe8p+z9J4mzxS8BMutITcyG1
+ze8yUabwo8jkBJzIHZhhcHE0Y+dOAmrHlkE5LKtqGnYLmcP0FZ3WEpp/0DsQ+drE
++APikLWQmqItdESZmp7J/qI1T3jLQ8V6+E8ZCgDfij+HxIl1BDThoDjqPs5paNYv
+9KEtPslLudMS5Ffq3sCBtOYV9L6ee8gkazRPABEBAAG0R0tyaXNobmFuIE1haGFk
+ZXZhbiAoa3JtYWhhZGV2YW4ta2V5KSA8a3Jpc2huYW4ubWFoYWRldmFuMTk3OEBn
+bWFpbC5jb20+iQE5BBMBCAAjBQJYQCq9AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
+HgECF4AACgkQDxPVYx1q823Dygf7BpWRvHhevZntcBZ2VAQhnfpsisqHKTDDIxde
+U9SibR6CeVOKRqU1sPZSoZDwVWzpt0FF0fIEojbnvIMNrI4WgOT5xTr265irY33w
+0p8Rjeco3IQSlaoZSGs/dw118TrwhCEcvBfiv7L5tETB1WlAF2SLxEbqP2wK2hTj
+F4zE0SSmzztJaEJvVncw7EfFzHpLtRCAwoWmZqNnadQeeq6c52EnVOlqxzld8aO/
+v8mOMvgfZvwvylKauPZN/mseXOQeVBJg0OF9gUlXhTK2nM0jUSNQvAp/MJ4IjV0P
+GwHJi+YINJYMTU0pjkjBdThnFqD6waqeDUZJG/0CceLUlJdUEbkBDQRYQCq9AQgA
+oQ0sIv/pfLE58MWBEOM0975BXnLTTzgbvbpY4AG9ZBecs2p2lFQ5VxwS6LO1LPPw
+lZ829ry8k+6D1TQtxC31m1cJNUgTNHRR7Cc+qQTdWA7bHjJgZYrQBZbC62AM7q69
+fu9fwVuVK65UzTLDWwAZ32mQXIwBa1RB/lz9pOWJJEr663yqh1IczY0FYKPyOjAf
+YQ9RNFDcIRPEjP7TGd+tJIwDQHeimbSNAh6X4RY625vKKTxw0tJzXSXs2XisTYHj
+iwENDHR/RNKJiW/VqEtwHGmwe60XJDX5GiW4Dp0Owk8LCG7m5ERx+OypBuoJ+VUt
+qJlRyQ/Xi2DKO+dwqrVSawARAQABiQEfBBgBCAAJBQJYQCq9AhsMAAoJEA8T1WMd
+avNtePEIAI/ncSquvPBOxPS7naiCShtTVxzC8MmwsqLmnx4lFGxy0ElSOwlWX6g7
+2/KnIhXrMcpbbTtruv3DKNmh3br3nmFg7y2Rt+u+GLbY3Ms8BHQU7esPt4Hey4iH
+/C/3F3KPV6gt9Mx2d4VQKSoinkavK77H7DRBtDMTyYpoqSS7wYLDQsJ0kPSCDupU
+QXsc2cNyd0Pb89xfXqEE0ntrB63eThT5+loFm/eaP0mTdzLn+gQ/VruuPibxEoXL
+0gK3z75V8muX20TJXhc4F3tGCkVZ8nDgnrbwj0e9FsqLfthYIDxjyc+JVU1ip5E/
+3GB9FoYfKJ5nm4+32uWtSw+9cZWh4Bc=
+=mMe+
+-----END PGP PUBLIC KEY BLOCK-----

README.md

@@ -53,3 +53,20 @@ Refer our [Contributing](.github/CONTRIBUTING.md) section for detailed set of st
 
   If your pull request involves fixing SonarQube issues then we would suggest that you please discuss this with the 
   [TestNG-dev](https://groups.google.com/forum/#!forum/testng-dev) before you spend time working on it.
+
+### Verifying the signature
+
+1. Download the `.asc` file from `https://repo1.maven.org/maven2/org/testng/testng/<versionGoesHere>`
+2. Run the command `gpg --verify testng-7.9.0.jar.asc testng-7.9.0.jar`
+3. You should see an output as below:
+
+```bash
+gpg: Signature made Tue Dec 26 15:06:16 2023 IST
+gpg:                using RSA key 0F13D5631D6AF36D
+gpg: Good signature from "Krishnan Mahadevan (krmahadevan-key) <[email protected]>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: C4F5 4D86 22C9 5CC3 F098  721A 0F13 D563 1D6A F36D
+```
+
+For more details regarding keys please refer [here](https://infra.apache.org/release-signing.html#verifying-signature)