PGP key for the jwks-rsa package not found on the keyserver

[NikoLehtovirta]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

With the recent update to com.auth0.java-jwt to keys have been rotated and currently the jwks-rsa package looks to be using the same key causing the PGP verification to fail during the install step. While the issue was solved for the com.auth0.java-jwt by updating it to 4.5.0 version the jwks-rsa package has not received any update which means there isn't any way to solve the issue until new release is made using new key.

Here are the key PGP info to show the issue using the pgpverify-maven-plugin:

com.auth0.java-jwt:4.5.0

Artifact:
        groupId:     com.auth0
        artifactId:  java-jwt
        type:        jar
        version:     4.5.0

PGP signature:
        version:     4
        algorithm:   SHA512 with RSA (Encrypt or Sign)
        keyId:       0x09C6FCE6AACD67E3
        create date: Wed Jan 29 16:38:44 EET 2025
        status:      valid

PGP key:
        version:     4
        algorithm:   RSA (Encrypt or Sign)
        bits:        3072
        fingerprint: 0xAC3F8C3B82B7990EE0EB32C009C6FCE6AACD67E3
        create date: Fri Oct 27 15:04:13 EEST 2023
        uids:        [Auth0 <support@auth0.com>]

com.auth0.java-jwt:4.4.0

Artifact:
        groupId:     com.auth0
        artifactId:  java-jwt
        type:        jar
        version:     4.4.0

PGP signature:
        version:     4
        algorithm:   SHA512 with RSA (Encrypt or Sign)
        keyId:       0x7C579522A12B1443
        create date: Fri Mar 31 21:33:04 EEST 2023
        status:      valid

PGP key:
        version:     4
        algorithm:   RSA (Encrypt or Sign)
        bits:        3072
        fingerprint: 0x0984FA32B926C76FE624E2157C579522A12B1443
        create date: Fri Jan 06 01:44:35 EET 2023
        uids:        []

com.auth0.jwks-rsa:0.22.1

Artifact:
        groupId:     com.auth0
        artifactId:  jwks-rsa
        type:        jar
        version:     0.22.1

PGP signature:
        version:     4
        algorithm:   SHA512 with RSA (Encrypt or Sign)
        keyId:       0x7C579522A12B1443
        create date: Fri Jul 28 15:26:41 EEST 2023
        status:      valid

PGP key:
        version:     4
        algorithm:   RSA (Encrypt or Sign)
        bits:        3072
        fingerprint: 0x0984FA32B926C76FE624E2157C579522A12B1443
        create date: Fri Jan 06 01:44:35 EET 2023
        uids:        []

Reproduction

1. Install the pgpverify-maven-plugin:
2. Add jwks-rsa as dependency.
3. See the error com.auth0:jwks-rsa:jar:0.22.1 PGP key 0x7C579522A12B1443 not found on keyserver

Additional context

No response

jwks-rsa version

0.22.1

Java version

11

[tanya732]

Hi @NikoLehtovirta,

Thank you for raising this issue! We will be planning to address it in a future release. We’ll keep you updated as we move forward with a fix.

Thank you