It was a pain in the ass but I always appreciated that Maven central required packages to be signed with a public key pre-associated with the package name.