Docker container to verify jars PGP signatures.
Assuming that you want to see the signature of a jar with coordinates 'org.leplus:ristretto:1.0.0':
docker run --rm leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0You can put several sets in coordinates in arguments to verify
multiple artifacts. You can also use the KEYSERVER environment
variable to choose a different keyserver (default is keyserver.ubuntu.com):
docker run --rm -e KEYSERVER=pgp.mit.edu leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0Alternatively you can use the --keyserver option to achieve the same
result:
docker run --rm leplusorg/pgp-verify-jar --keyserver=pgp.mit.edu org.leplus:ristretto:1.0.0Note that this will show you the jar's signature information but if you use a public keyserver, it doesn't provide any guarantee since anybody can upload a key to a public keyserver and claim that it is owned by anyone (neither the name nor the email address associated with the key are verified).
There are several solutions to this issue. If you have access to
private keyserver hosting only trusted keys, you can simply use the
KEYSERVER environment variable or the --keyserver option described
above.
Otherwise, you can use the ONLINE_KEYS environment variable to restrict the
keys to be trusted from the server (private or public). ONLINE_KEYS
should contain a coma-separated list of public key IDs:
docker run --rm -e ONLINE_KEYS=6B1B9BE54C155617,85911F425EC61B51 leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0 junit:junit:4.13.1Alternatively you can use the --online-keys option to achieve the
same result:
docker run --rm leplusorg/pgp-verify-jar --online-keys=6B1B9BE54C155617,85911F425EC61B51 org.leplus:ristretto:1.0.0 junit:junit:4.13.1If the keys downloaded from the server are themselves signed by
other keys, you can import these key-signing keys first using the
BOOTSTRAP_ONLINE_KEYS environment variable or the
--bootstrap-online-keys option (again a coma-separated list of
public key IDs in both cases).
Otherwise you will see the following warning from gpg:
gpg: WARNING: This key is not certified with a trusted signature!
Finally, if you prefer to verify signatures entirely offline, you can
mount a local GnuPG folder of your choice into the docker container
and setting the VERIFICATION_MODE environment variable to offline
(default value is online):
docker run --rm -e VERIFICATION_MODE=offline -v "/path/to/.gnupg:/root/.gnupg" leplusorg/pgp-verify-jar org.leplus:ristretto:1.0.0Alternatively you can use the --verification-mode option to achieve
the same result:
docker run --rm -v "/path/to/.gnupg:/root/.gnupg" leplusorg/pgp-verify-jar --verification-mode=offline org.leplus:ristretto:1.0.0In offline mode, all the keys present in the keyring can be used to
check the signatures. The keys cannot be restricted as with the
ONLINE_KEYS environment variable or the --online-keys option. But
the key ID used to verify each signature will be displayed in the
output so you can review them if needed. Or you can pass a keyring
containing only the acceptable keys.
In offline mode, you are also responsible for putting in the keyring
any key-signing key if needed.
To get the SBOM for the latest image (in SPDX JSON format), use the following command:
docker buildx imagetools inspect leplusorg/pgp-verify-jar --format '{{ json (index .SBOM "linux/amd64").SPDX }}'Replace linux/amd64 by the desired platform (linux/amd64, linux/arm64 etc.).
Sigstore is trying to improve supply chain security by allowing you to verify the origin of an artifcat. You can verify that the jar that you use was actually produced by this repository. This means that if you verify the signature of the ristretto jar, you can trust the integrity of the whole supply chain from code source, to CI/CD build, to distribution on Maven Central or whever you got the jar from.
You can use the following command to verify the latest image using its sigstore signature attestation:
cosign verify leplusorg/pgp-verify-jar --certificate-identity-regexp 'https://github\.com/leplusorg/docker-pgp-verify-jar/\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'The output should look something like this:
Verification for index.docker.io/leplusorg/xml:main --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
[{"critical":...
For instructions on how to install cosign, please read this documentation.