Only export public key of default keypair

[kwin]

This closes #1706

[github-actions]

Test Results

299 tests  ±0   295 ✔️ ±0   52m 36s ⏱️ - 1m 18s
169 suites ±0       4 💤 ±0 
169 files   ±0       0 ❌ ±0 

Results for commit 516a0c6. ± Comparison against base commit 80983d5.

♻️ This comment has been updated with latest results.

[laeubi]

It seems that I'm a bit late but I'm not sure if the default key is always the right choice, should it not be the one used to actually sign the artifacts? At least the standard pgp-maven-plugin allows to specify a different key as well...

[kwin]

@laeubi The mechanism only kicks in as fallback, i.e. if a dedicated key is used for signing its public key is used (that already worked before)

[merks]

FYI, while working on the following I took the problem you reported into consideration:

#1720

In particular, the new logic ensures that we only add the key that is actually associated with the signature to the properties. So we don't actually need to know which key is the default. Furthermore, one thing I noticed while reconciling your changes with the changes I have underway is that the user can also specify default-key BBF1E2D1 in their ~/.gnupg/gpg.conf to change the default signing key and this does not change the order in which the secret keys are listed. So the only way to be sure which key does the signing is to check the key ID on the signature. In any case, the #1720 changes will still work properly for your use case, and there are now tests to confirm that too.