Gradle has powerful features to check signatures of downloaded artifacts. If you want to check that things are signed right, that’s the best place to start.
But if you wanna verify an artifact’s signature manually, here’s how...
Find the signer’s key
Note that these keys aren’t verified. Anyone can upload a key with any email address. You need to use a side channel like a web page or email to verify the key you’re looking at is the right one!
Install the signer’s key
Let’s install the key for
curl \ 'https://keyserver.ubuntu.com/pks/lookup?op=hget&search=a79b48fd6a1f31699c788b50c97d0b98' \ --output firstname.lastname@example.org gpg --import email@example.com
We can see it in our GPG database:
gpg --list-keys /Users/jwilson/.gnupg/pubring.kbx --------------------------------- pub rsa4096 2021-07-09 [SC] [expires: 2041-07-04] DBD744ACE7ADE6AA50DD591F66B50994442D2D40 uid [ unknown] Square Clippy <firstname.lastname@example.org>
Optional: Trust the signer’s key
If we don’t trust the key, we’ll see this warning later when we verify:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
We should only trust the key once we’re sure we have the right one, using an appropriate side channel described above.
gpg --edit-key email@example.com ... gpg> trust ... Your decision? 5 ... Do you really want to set this key to ultimate trust? (y/N) y ... gpg> q
This verifies signatures for
okhttp-5.0.0-alpha.5.jar. You can use
.asc files to verify other published artifacts.
curl \ 'https://repo1.maven.org/maven2/com/squareup/okhttp3/okhttp/5.0.0-alpha.5/okhttp-5.0.0-alpha.5.jar' \ --output okhttp-5.0.0-alpha.5.jar curl \ 'https://repo1.maven.org/maven2/com/squareup/okhttp3/okhttp/5.0.0-alpha.5/okhttp-5.0.0-alpha.5.jar.asc' \ --output okhttp-5.0.0-alpha.5.jar.asc gpg --verify okhttp-5.0.0-alpha.5.jar.asc gpg: assuming signed data in 'okhttp-5.0.0-alpha.5.jar' gpg: Signature made Mon 21 Feb 09:52:50 2022 EST gpg: using RSA key 66B50994442D2D40 gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2041-07-04 gpg: Good signature from "Square Clippy <firstname.lastname@example.org>" [ultimate]
As an open source author I’ve done so much work to create signatures; it feels like a nice little payoff to actually verify one.