{"id":23521244,"url":"https://github.com/leplusorg/docker-pgp-verify-jar","last_synced_at":"2025-04-19T19:43:01.560Z","repository":{"id":39849302,"uuid":"332640967","full_name":"leplusorg/docker-pgp-verify-jar","owner":"leplusorg","description":"Docker container to verify jars PGP signatures.","archived":false,"fork":false,"pushed_at":"2024-12-18T17:42:00.000Z","size":381,"stargazers_count":6,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-18T18:37:46.466Z","etag":null,"topics":["digital-signature","docker","docker-image","ed25519","gnupg","gpg","gpg-signature","jar","java","maven-repository","pgp","pgp-keyserver","pgp-signature"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/leplusorg/pgp-verify-jar","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/leplusorg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-25T05:31:31.000Z","updated_at":"2024-12-18T17:41:58.000Z","dependencies_parsed_at":"2023-12-08T19:27:07.985Z","dependency_job_id":"33f6026f-6125-43a6-8a69-41ee857c9ebf","html_url":"https://github.com/leplusorg/docker-pgp-verify-jar","commit_stats":{"total_commits":78,"total_committers":4,"mean_commits":19.5,"dds":0.2948717948717948,"last_synced_commit":"2325e2ef39922f608c875c2e0f756b5f97289721"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-pgp-verify-jar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-pgp-verify-jar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-pgp-verify-jar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-pgp-verify-jar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/leplusorg","download_url":"https://codeload.github.com/leplusorg/docker-pgp-verify-jar/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":231260790,"owners_count":18349461,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["digital-signature","docker","docker-image","ed25519","gnupg","gpg","gpg-signature","jar","java","maven-repository","pgp","pgp-keyserver","pgp-signature"],"created_at":"2024-12-25T17:11:29.062Z","updated_at":"2025-04-19T19:43:01.553Z","avatar_url":"https://github.com/leplusorg.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PGP Verify Jar\n\nDocker container to verify jar files PGP signatures.\n\n[![Dockerfile](https://img.shields.io/badge/GitHub-Dockerfile-blue)](pgp-verify-jar/Dockerfile)\n[![ShellCheck](https://github.com/leplusorg/docker-pgp-verify-jar/workflows/ShellCheck/badge.svg)](https://github.com/leplusorg/docker-pgp-verify-jar/actions?query=workflow:\"ShellCheck\")\n[![Docker Build](https://github.com/leplusorg/docker-pgp-verify-jar/workflows/Docker/badge.svg)](https://github.com/leplusorg/docker-pgp-verify-jar/actions?query=workflow:\"Docker\")\n[![Docker Stars](https://img.shields.io/docker/stars/leplusorg/pgp-verify-jar)](https://hub.docker.com/r/leplusorg/pgp-verify-jar)\n[![Docker Pulls](https://img.shields.io/docker/pulls/leplusorg/pgp-verify-jar)](https://hub.docker.com/r/leplusorg/pgp-verify-jar)\n[![Docker Version](https://img.shields.io/docker/v/leplusorg/pgp-verify-jar?sort=semver)](https://hub.docker.com/r/leplusorg/pgp-verify-jar)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10079/badge)](https://bestpractices.coreinfrastructure.org/projects/10079)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/leplusorg/docker-pgp-verify-jar/badge)](https://securityscorecards.dev/viewer/?uri=github.com/leplusorg/docker-pgp-verify-jar)\n\n## Goal and limitations\n\nThe goal of this docker container image is to provide an easy way to\nverify jar files signatures. Currently it can only verify files that\nit downloads from a Maven repository that doesn't require\nauthentication and that use a certificate issues by a trusted public\nCA.\n\nThis image has the benefit of being platform-agnostic and it\ndoesn't rely on Maven or Java. But if your goal is to validate\nsignatures for your project dependencies at build time and/or runtime,\nthere are Maven plugins (e.g.\n[Verify PGP signatures](https://www.simplify4u.org/pgpverify-maven-plugin/)).\nGradle even has this feature\n[out-of-the-box](https://docs.gradle.org/current/userguide/dependency_verification.html).\n\n## Examples\n\nAssuming that you want to see the signature of two jar files:\n\n```bash\ndocker run --rm leplusorg/pgp-verify-jar org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\nYou can also use the `ARTIFACTS` environment\nvariable to pass the list of artifacts to verify (coma-separated if\nmultiple):\n\n```bash\ndocker run --rm -e ARTIFACTS=org.leplus:ristretto:2.0.0,junit:junit:4.13.1 leplusorg/pgp-verify-jar\n```\n\nYou can also use the `KEYSERVER` environment\nvariable to choose a different keyserver (default is keyserver.ubuntu.com):\n\n```bash\ndocker run --rm -e KEYSERVER=pgp.mit.edu leplusorg/pgp-verify-jar org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\nAlternatively you can use the `--keyserver` option to achieve the same\nresult:\n\n```bash\ndocker run --rm leplusorg/pgp-verify-jar --keyserver=pgp.mit.edu org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\n\u003e [!WARNING]\n\u003e Note that this will show you the jar files signature information but if\n\u003e you use a public keyserver, it doesn't provide any guarantee since\n\u003e anybody can upload a key to a public keyserver and claim that it is\n\u003e owned by anyone (neither the name nor the email address associated\n\u003e with the key are verified).\n\nThere are several solutions to this issue. If you have access to\nprivate keyserver hosting only trusted keys, you can simply use the\n`KEYSERVER` environment variable or the `--keyserver` option described\nabove.\n\nOtherwise, you can use the `ONLINE_KEYS` environment variable to restrict the\nkeys to be trusted from the server (private or public). `ONLINE_KEYS`\nshould contain a coma-separated list of public key IDs:\n\n```bash\ndocker run --rm -e ONLINE_KEYS=6B1B9BE54C155617,85911F425EC61B51 leplusorg/pgp-verify-jar org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\nAlternatively you can use the `--online-keys` option to achieve the\nsame result:\n\n```bash\ndocker run --rm leplusorg/pgp-verify-jar --online-keys=6B1B9BE54C155617,85911F425EC61B51 org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\nIf the keys downloaded from the server are themselves signed by\nother keys, you can import these key-signing keys first using the\n`BOOTSTRAP_ONLINE_KEYS` environment variable or the\n`--bootstrap-online-keys` option (again a coma-separated list of\npublic key IDs in both cases).\n\nOtherwise you will see the following warning from `gpg`:\n`gpg: WARNING: This key is not certified with a trusted signature!`\n\nFinally, if you prefer to verify signatures entirely offline, you can\nmount a local GnuPG folder of your choice into the docker container\nand setting the `VERIFICATION_MODE` environment variable to `offline`\n(default value is `online`):\n\n```bash\ndocker run --rm -e VERIFICATION_MODE=offline -v \"/path/to/.gnupg:/home/default/.gnupg\" leplusorg/pgp-verify-jar org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\nAlternatively you can use the `--verification-mode` option to achieve\nthe same result:\n\n```bash\ndocker run --rm -v \"/path/to/.gnupg:/home/default/.gnupg\" leplusorg/pgp-verify-jar --verification-mode=offline org.leplus:ristretto:2.0.0 junit:junit:4.13.1\n```\n\nIn `offline` mode, all the keys present in the keyring can be used to\ncheck the signatures. The keys cannot be restricted as with the\n`ONLINE_KEYS` environment variable or the `--online-keys` option. But\nthe key ID used to verify each signature will be displayed in the\noutput so you can review them if needed. Or you can pass a keyring\ncontaining only the acceptable keys.\n\nIn `offline` mode, you are also responsible for putting in the keyring\nany key-signing key if needed.\n\n## Software Bill of Materials (SBOM)\n\nTo get the SBOM for the latest image (in SPDX JSON format), use the\nfollowing command:\n\n```bash\ndocker buildx imagetools inspect leplusorg/pgp-verify-jar --format '{{ json (index .SBOM \"linux/amd64\").SPDX }}'\n```\n\nReplace `linux/amd64` by the desired platform (`linux/amd64`, `linux/arm64` etc.).\n\n### Sigstore\n\n[Sigstore](https://docs.sigstore.dev) is trying to improve supply\nchain security by allowing you to verify the origin of an\nartifcat. You can verify that the jar that you use was actually\nproduced by this repository. This means that if you verify the\nsignature of the ristretto jar, you can trust the integrity of the\nwhole supply chain from code source, to CI/CD build, to distribution\non Maven Central or whever you got the jar from.\n\nYou can use the following command to verify the latest image using its\nsigstore signature attestation:\n\n```bash\ncosign verify leplusorg/pgp-verify-jar --certificate-identity-regexp 'https://github\\.com/leplusorg/docker-pgp-verify-jar/\\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'\n```\n\nThe output should look something like this:\n\n```text\nVerification for index.docker.io/leplusorg/xml:main --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - Existence of the claims in the transparency log was verified offline\n  - The code-signing certificate was verified using trusted certificate authority certificates\n\n[{\"critical\":...\n```\n\nFor instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fleplusorg%2Fdocker-pgp-verify-jar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fleplusorg%2Fdocker-pgp-verify-jar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fleplusorg%2Fdocker-pgp-verify-jar/lists"}