PUBLIC OBJECT

How to Manually Check a Maven Signature

Published on

Gradle has powerful features to check signatures of downloaded artifacts. If you want to check that things are signed right, that’s the best place to start.

But if you wanna verify an artifact’s signature manually, here’s how...

Find the signer’s key

There’s a bunch of key servers to look through. Square’s is on the Ubuntu Key Server. Searching that site for squareup.com is practically an employee directory; our open source key is this one.

Note that these keys aren’t verified. Anyone can upload a key with any email address. You need to use a side channel like a web page or email to verify the key you’re looking at is the right one!

Install the signer’s key

Let’s install the key for opensource@squareup.com:

curl \
  'https://keyserver.ubuntu.com/pks/lookup?op=hget&search=a79b48fd6a1f31699c788b50c97d0b98' \
  --output opensource@squareup.com.key

gpg --import opensource@squareup.com.key

We can see it in our GPG database:

gpg --list-keys
    /Users/jwilson/.gnupg/pubring.kbx
    ---------------------------------
    pub   rsa4096 2021-07-09 [SC] [expires: 2041-07-04]
          DBD744ACE7ADE6AA50DD591F66B50994442D2D40
    uid           [ unknown] Square Clippy <opensource@squareup.com>

Optional: Trust the signer’s key

If we don’t trust the key, we’ll see this warning later when we verify:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

We should only trust the key once we’re sure we have the right one, using an appropriate side channel described above.

gpg --edit-key opensource@squareup.com
  ...
  gpg> trust
  ...
  Your decision? 5
  ...
  Do you really want to set this key to ultimate trust? (y/N) y
  ...
  gpg> q

Verify Signatures

This verifies signatures for okhttp-5.0.0-alpha.5.jar. You can use .asc files to verify other published artifacts.

curl \
  'https://repo1.maven.org/maven2/com/squareup/okhttp3/okhttp/5.0.0-alpha.5/okhttp-5.0.0-alpha.5.jar' \
  --output okhttp-5.0.0-alpha.5.jar
curl \
  'https://repo1.maven.org/maven2/com/squareup/okhttp3/okhttp/5.0.0-alpha.5/okhttp-5.0.0-alpha.5.jar.asc' \
  --output okhttp-5.0.0-alpha.5.jar.asc
gpg --verify  okhttp-5.0.0-alpha.5.jar.asc
    gpg: assuming signed data in 'okhttp-5.0.0-alpha.5.jar'
    gpg: Signature made Mon 21 Feb 09:52:50 2022 EST
    gpg:                using RSA key 66B50994442D2D40
    gpg: checking the trustdb
    gpg: marginals needed: 3  completes needed: 1  trust model: pgp
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    gpg: next trustdb check due at 2041-07-04
    gpg: Good signature from "Square Clippy <opensource@squareup.com>" [ultimate]

As an open source author I’ve done so much work to create signatures; it feels like a nice little payoff to actually verify one.