Docker container to verify jars PGP signatures.
Assuming that you want to see the signature of a jar with coordinates 'org.leplus:ristretto:1.0.0':
docker run --rm leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0You can put several sets in coordinates in arguments to verify
multiple artifacts. You can also use the KEYSERVER environment
variable to choose a different keyserver (default is keyserver.ubuntu.com):
docker run --rm -e KEYSERVER=pgp.mit.edu leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0Alternatively you can use the --keyserver option to achieve the same
result:
docker run --rm leplusorg/pgp-verify-jar --keyserver=pgp.mit.edu org.leplus:ristretto:1.0.0Note that this will show you the jar's signature information but if you use a public keyserver, it doesn't provide any guarantee since anybody can upload a key to a public keyserver and claim that it is owned by anyone (neither the name nor the email address associated with the key are verified).
There are several solutions to this issue. If you have access to
private keyserver hosting only trusted keys, you can simply use the
KEYSERVER environment variable or the --keyserver option described
above.
Otherwise, you can use the ONLINE_KEYS environment variable to restrict the
keys to be trusted from the server (private or public). ONLINE_KEYS
should contain a coma-separated list of public key IDs:
docker run --rm -e ONLINE_KEYS=6B1B9BE54C155617,85911F425EC61B51 leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0 junit:junit:4.13.1Alternatively you can use the --online-keys option to achieve the
same result:
docker run --rm leplusorg/pgp-verify-jar --online-keys=6B1B9BE54C155617,85911F425EC61B51 org.leplus:ristretto:1.0.0 junit:junit:4.13.1If the keys downloaded from the server are themselves signed by
other keys, you can import these key-signing keys first using the
BOOTSTRAP_ONLINE_KEYS environment variable or the
--bootstrap-online-keys option (again a coma-separated list of
public key IDs in both cases).
Otherwise you will see the following warning from gpg:
gpg: WARNING: This key is not certified with a trusted signature!
Finally, if you prefer to verify signatures entirely offline, you can
mount a local GnuPG folder of your choice into the docker container
and setting the VERIFICATION_MODE environment variable to offline
(default value is online):
docker run --rm -e VERIFICATION_MODE=offline -v "/path/to/.gnupg:/root/.gnupg" leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0Alternatively you can use the --verification-mode option to achieve
the same result:
docker run --rm -v "/path/to/.gnupg:/root/.gnupg" leplusorg/pgp-verify-jar --verification-mode=offline org.leplus:ristretto:1.0.0In offline mode, all the keys present in the keyring can be used to
check the signatures. The keys cannot be restricted as with the
ONLINE_KEYS environment variable or the --online-keys option. But
the key ID used to verify each signature will be displayed in the
output so you can review them if needed. Or you can pass a keyring
containing only the acceptable keys.
In offline mode, you are also responsible for putting in the keyring
any key-signing key if needed.