The security of the package system relies on securing ZK. It's much easier for users to secure the file system than securing ZK.
We provide an option to read public keys from file store.
- Have a special directory called trusted . Direct writes are forbidden to that directory over http
- The CLI directly writes to the keys to <SOLR_HOME>/filestore/trusted/keys/ directory. Other nodes are asked to fetch the public key files from that node
- Package artifacts will continue to be uploaded over http