From d84fa1af887b79e4122f235e8bce0c5622e36af0 Mon Sep 17 00:00:00 2001 From: Sean Leary Date: Fri, 29 May 2026 10:38:42 -0500 Subject: [PATCH] docs-and-warnings-cleanup cleanup some doc files, update pom for deployment, fix some JSONObject warnings --- README.md | 3 ++ SECURITY.md | 60 -------------------------- docs/SECURITY.md | 55 +++++++++++++++++++++++ pom.xml | 9 ++++ src/main/java/org/json/JSONObject.java | 6 +++ 5 files changed, 73 insertions(+), 60 deletions(-) delete mode 100644 SECURITY.md diff --git a/README.md b/README.md index 93a502193..40acb8f06 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ This project is in the public domain. This means: We recognize this can create uncertainty for some corporate legal departments accustomed to standard licenses like MIT or Apache 2.0. If your organization requires a named license for compliance purposes, public domain is functionally equivalent to the Unlicense or CC0 1.0, both of which have been reviewed and accepted by organizations including the Open Source Initiative and Creative Commons. You may reference either when explaining this project's terms to your legal team. +# Signing keys used in releases + +The signing keys can be found in [SECURITY.md](https://github.com/stleary/JSON-java/blob/master/docs/SECURITY.md) # If you would like to contribute to this project diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 3a1e60ebe..000000000 --- a/SECURITY.md +++ /dev/null @@ -1,60 +0,0 @@ -# Security Policy - -## Reporting a Vulnerability - -Please follow the instructions in the ["How are vulnerabilities and exploits handled?"](https://github.com/stleary/JSON-java/wiki/FAQ#how-are-vulnerabilities-and-exploits-handled) section in the FAQ. - -## Verifying Release Signatures - -All releases of `org.json:json` published to Maven Central are signed with PGP. The fingerprint, keyserver location, and verification procedure below let you confirm that the artifacts you've downloaded were produced by this project and have not been modified in transit. - -### Signing Key - -| | | -| --- | --- | -| **Fingerprint** | `FB35 C8D0 2B47 24DA DA23 DE0A FD11 6C19 69FC CFF3` | -| **Long key ID** | `FD116C1969FCCFF3` | -| **Keyserver** | `hkps://keyserver.ubuntu.com` | - -The full 40-character fingerprint above is the canonical identifier for the key. Always pin or compare against the full fingerprint rather than the long or short key ID. - -### Importing the Key - -```bash -gpg --keyserver hkps://keyserver.ubuntu.com \ - --recv-keys FB35C8D02B4724DADA23DE0AFD116C1969FCCFF3 -``` - -After importing, confirm the fingerprint matches what's published here: - -```bash -gpg --fingerprint FB35C8D02B4724DADA23DE0AFD116C1969FCCFF3 -``` - -### Verifying an Artifact - -Download both the artifact and its detached signature from Maven Central. For example, for version `20251224`: - -```bash -curl -O https://repo1.maven.org/maven2/org/json/json/20251224/json-20251224.jar -curl -O https://repo1.maven.org/maven2/org/json/json/20251224/json-20251224.jar.asc -gpg --verify json-20251224.jar.asc json-20251224.jar -``` - -A successful verification will report `Good signature from ...` and display the same fingerprint shown above. If GPG reports `BAD signature`, a mismatched fingerprint, or `No public key`, do not use the artifact and please open an issue. - -The same procedure applies to the `.pom` and any other signed sidecars in the release directory; substitute the filename you want to verify. - -### Gradle Dependency Verification - -If you are using Gradle's [dependency verification](https://docs.gradle.org/current/userguide/dependency_verification.html) feature, add an entry like the following to `gradle/verification-metadata.xml`: - -```xml - -``` - -Gradle also accepts the long key ID (`FD116C1969FCCFF3`), but pinning the full fingerprint is recommended. - -### Key Rotation - -If the signing key is ever rotated or revoked, this document will be updated in the `master` branch with the new fingerprint, and the change will be visible in the file's commit history. Always check this file directly in the repository for the current authoritative value before trusting any third-party copy of the fingerprint. \ No newline at end of file diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 5af9a566b..3a1e60ebe 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -3,3 +3,58 @@ ## Reporting a Vulnerability Please follow the instructions in the ["How are vulnerabilities and exploits handled?"](https://github.com/stleary/JSON-java/wiki/FAQ#how-are-vulnerabilities-and-exploits-handled) section in the FAQ. + +## Verifying Release Signatures + +All releases of `org.json:json` published to Maven Central are signed with PGP. The fingerprint, keyserver location, and verification procedure below let you confirm that the artifacts you've downloaded were produced by this project and have not been modified in transit. + +### Signing Key + +| | | +| --- | --- | +| **Fingerprint** | `FB35 C8D0 2B47 24DA DA23 DE0A FD11 6C19 69FC CFF3` | +| **Long key ID** | `FD116C1969FCCFF3` | +| **Keyserver** | `hkps://keyserver.ubuntu.com` | + +The full 40-character fingerprint above is the canonical identifier for the key. Always pin or compare against the full fingerprint rather than the long or short key ID. + +### Importing the Key + +```bash +gpg --keyserver hkps://keyserver.ubuntu.com \ + --recv-keys FB35C8D02B4724DADA23DE0AFD116C1969FCCFF3 +``` + +After importing, confirm the fingerprint matches what's published here: + +```bash +gpg --fingerprint FB35C8D02B4724DADA23DE0AFD116C1969FCCFF3 +``` + +### Verifying an Artifact + +Download both the artifact and its detached signature from Maven Central. For example, for version `20251224`: + +```bash +curl -O https://repo1.maven.org/maven2/org/json/json/20251224/json-20251224.jar +curl -O https://repo1.maven.org/maven2/org/json/json/20251224/json-20251224.jar.asc +gpg --verify json-20251224.jar.asc json-20251224.jar +``` + +A successful verification will report `Good signature from ...` and display the same fingerprint shown above. If GPG reports `BAD signature`, a mismatched fingerprint, or `No public key`, do not use the artifact and please open an issue. + +The same procedure applies to the `.pom` and any other signed sidecars in the release directory; substitute the filename you want to verify. + +### Gradle Dependency Verification + +If you are using Gradle's [dependency verification](https://docs.gradle.org/current/userguide/dependency_verification.html) feature, add an entry like the following to `gradle/verification-metadata.xml`: + +```xml + +``` + +Gradle also accepts the long key ID (`FD116C1969FCCFF3`), but pinning the full fingerprint is recommended. + +### Key Rotation + +If the signing key is ever rotated or revoked, this document will be updated in the `master` branch with the new fingerprint, and the change will be visible in the file's commit history. Always check this file directly in the repository for the current authoritative value before trusting any third-party copy of the fingerprint. \ No newline at end of file diff --git a/pom.xml b/pom.xml index 4318398e0..3f15d6896 100644 --- a/pom.xml +++ b/pom.xml @@ -198,6 +198,15 @@ maven-jar-plugin 3.3.0 + + org.sonatype.central + central-publishing-maven-plugin + 0.9.0 + true + + central + + diff --git a/src/main/java/org/json/JSONObject.java b/src/main/java/org/json/JSONObject.java index 6b087eaba..a4f1e7c85 100644 --- a/src/main/java/org/json/JSONObject.java +++ b/src/main/java/org/json/JSONObject.java @@ -3333,6 +3333,7 @@ private Type[] getMapTypes(Type type) { * no-argument constructor, and the field names in the class must match the keys * in the JSON string. * + * @param the type of the object to return * @param jsonString json in string format * @param clazz the class of the object to be returned * @return an instance of Object T with fields populated from the JSON string @@ -3474,7 +3475,12 @@ else if (!rawType.isPrimitive() && !rawType.isEnum() && value instanceof JSONObj /** * Converts a String to an Enum value. + * The unchecked warning is suppressed when casting valueOf() to E + * @param enumClass enum class + * @param value value of enum + * @param type of enum */ + @SuppressWarnings("unchecked") private E stringToEnum(Class enumClass, String value) throws JSONException { try { @SuppressWarnings("unchecked")