If you discover a security vulnerability in JHighlight, please report it through GitHub Security Advisories.

Please do not open a public issue for security vulnerabilities. Using GitHub Security Advisories allows us to privately discuss and fix the issue before public disclosure.

All release artifacts published to Maven Central are signed with GPG. You can verify the signature of any artifact using the following key:

# 1. Import the public key from a keyserver
gpg --keyserver keyserver.ubuntu.com --recv-keys C76701D6BD7E088EFFA4548A0DC3968BA181B331

# 2. Download the artifact and its signature
curl -O https://repo1.maven.org/maven2/org/codelibs/jhighlight/1.1.1/jhighlight-1.1.1.jar
curl -O https://repo1.maven.org/maven2/org/codelibs/jhighlight/1.1.1/jhighlight-1.1.1.jar.asc

# 3. Verify
gpg --verify jhighlight-1.1.1.jar.asc jhighlight-1.1.1.jar

To use this key with Gradle dependency verification, add the following trusted key to your verification-metadata.xml:

<trusted-key id="C76701D6BD7E088EFFA4548A0DC3968BA181B331" group="org.codelibs"/>