Viewing a PGP signature on a Maven artifact

8
votes

I'd like to manually verify the PGP signature on a Maven artifact from Central, but I don't know where to start.

I see on Apache's Guide to uploading artifacts to the Central Repository that it says "we require you to provide PGP signatures for all your artifacts".

And I've seen that Sonatype's Nexus Pro software mentions verifying signatures in a blog post on Nexus Pro features

But I can't find any information on how to get the signatures manually. I'm familiar enough with GPG to perform the actual verification. How do I get a .asc file for an artifact in Central?

2
mavenpgpgnupg
Related Stackoverflow question and answer. - Flow

2 Answers

8
votes

If you want to check all pgp signatures of your project dependency automatically, you can try execute:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check

This plugin downloads all signature (.asc) files and needed pgp key to do signature check.

There is another goal show in pgpverify-maven-plugin, so if you want only see signature you can execute:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:show -Dartifact=junit:junit:4.12

More info about this plugin you can find on site: https://www.simplify4u.org/pgpverify-maven-plugin/

5
votes

You can simple download those artifacts (.asc) files and manually check the signature. Maven Central is accessible via http like this:

http://search.maven.org/remotecontent?filepath=com/soebes/smpp/smpp/0.4/smpp-0.4.pom.asc