Menu
I'd like to manually verify the PGP signature on a Maven artifact from Central, but I don't know where to start.
I see on Apache's Guide to uploading artifacts to the Central Repository that it says "we require you to provide PGP signatures for all your artifacts".
And I've seen that Sonatype's Nexus Pro software mentions verifying signatures in a blog post on Nexus Pro features
But I can't find any information on how to get the signatures manually. I'm familiar enough with GPG to perform the actual verification. How do I get a .asc file for an artifact in Central?
916
If you want to check all pgp signatures of your project dependency automatically, you can try execute:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
This plugin downloads all signature (.asc) files and needed pgp key to do signature check.
There is another goal show in pgpverify-maven-plugin, so if you want only see signature you can execute:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:show -Dartifact=junit:junit:4.12
More info about this plugin you can find on site: https://www.simplify4u.org/pgpverify-maven-plugin/
130
You can simple download those artifacts (.asc) files and manually check the signature. Maven Central is accessible via http like this:
http://search.maven.org/remotecontent?filepath=com/soebes/smpp/smpp/0.4/smpp-0.4.pom.asc
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
