8

I'd like to manually verify the PGP signature on a Maven artifact from Central, but I don't know where to start.

I see on Apache's Guide to uploading artifacts to the Central Repository that it says "we require you to provide PGP signatures for all your artifacts".

And I've seen that Sonatype's Nexus Pro software mentions verifying signatures in a blog post on Nexus Pro features

But I can't find any information on how to get the signatures manually. I'm familiar enough with GPG to perform the actual verification. How do I get a .asc file for an artifact in Central?

Nathaniel Waisbrot
  • 23,261
  • 7
  • 71
  • 99
  • 1
    Related Stackoverflow [question](https://stackoverflow.com/q/3307146/194894) and [answer](https://stackoverflow.com/a/34795359/194894). – Flow Apr 01 '18 at 10:18

2 Answers2

8

If you want to check all pgp signatures of your project dependency automatically, you can try execute:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check

This plugin downloads all signature (.asc) files and needed pgp key to do signature check.

There is another goal show in pgpverify-maven-plugin, so if you want only see signature you can execute:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:show -Dartifact=junit:junit:4.12

More info about this plugin you can find on site: https://www.simplify4u.org/pgpverify-maven-plugin/

Slawomir Jaranowski
  • 7,381
  • 3
  • 25
  • 33
5

You can simple download those artifacts (.asc) files and manually check the signature. Maven Central is accessible via http like this:

http://search.maven.org/remotecontent?filepath=com/soebes/smpp/smpp/0.4/smpp-0.4.pom.asc
khmarbaise
  • 92,914
  • 28
  • 189
  • 235
  • 1
    OK, unpacking your answer a bit: For a dependency of ` x.y.z foo 1.0 ` The URL for the signature of the JAR artifact would be `http://search.maven.org/remotecontent?filepath=x/y/z/foo/1.0/foo-1.0.jar.asc` Great! I had been looking under http://mvnrepository.com and not finding any signatures. – Nathaniel Waisbrot May 31 '12 at 16:56