Skip to content

Commit ab2a947

Browse files
thomasleplusthomasleplus
committed
Update README.md
1 parent b949e78 commit ab2a947

File tree

1 file changed

+23
-2
lines changed

1 file changed

+23
-2
lines changed

README.md

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,12 +112,33 @@ e.g. 48 bytes on Oracle Java HotSpot 1.8.0 for Windows (64-Bit).
112112

113113
## Digital Signature
114114

115-
Releases of Ristretto are digitally signed. You can verify the GPG signature using the following [public key 3F147B345EADE8C92DA0C0006B1B9BE54C155617](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6b1b9be54c155617). I recommend that you verify the GPG signature of all your dependencies:
115+
Releases of Ristretto are digitally signed in two different ways: using Sigstore and using PGP.
116+
117+
### Sigstore
118+
119+
[Sigstore](https://docs.sigstore.dev) is trying to improve supply chain security by allowing you to verify the origin of an artifcat. You can verify that the jar that you use was actually produced by this repository. This means that if you verify the signature of the ristretto jar, you can trust the integrity of the whole supply chain from code source, to CI/CD build, to distribution on Maven Central or whever you got the jar from.
120+
121+
To verify the jar using its sigstore signature, you need to download them both locally and then use the `cosign` tool to verify the signature. The
122+
whole process can be done using the following 3 commands (replacing all occurrences of `x.y.z` with the version that you want to check):
123+
124+
```bash
125+
curl -s -S 'https://repo1.maven.org/maven2/org/leplus/ristretto/x.y.z/ristretto-x.y.z.jar' -o ristretto-x.y.z.jar
126+
curl -s -S 'https://repo1.maven.org/maven2/org/leplus/ristretto/x.y.z/ristretto-x.y.z.jar.sigstore.json' -o ristretto-x.y.z.jar.sigstore.json
127+
cosign verify-blob --bundle ristretto-x.y.z.jar.sigstore.json --certificate-identity 'https://github.com/leplusorg/ristretto/.github/workflows/publish.yml@refs/tags/vx.y.z' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' ristretto-x.y.z.jar
128+
```
129+
130+
The only output that you should get is a message saying `Verified OK`.
131+
132+
For instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/).
133+
134+
### GPG
135+
136+
Having GPG signature is a requirement to publish artifacts to Maven Central. You can verify the GPG signature using the following [public key 3F147B345EADE8C92DA0C0006B1B9BE54C155617](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6b1b9be54c155617). I recommend that you verify the GPG signature of all your dependencies:
116137

117138
- [Maven](https://www.simplify4u.org/pgpverify-maven-plugin/)
118139
- [Gradle](https://docs.gradle.org/current/userguide/dependency_verification.html)
119140

120-
To verify only Ristretto, you can run the following command (replacing `x.y.z` with the version that you want to use) and check that the displayed keyId matches the public key mentioned above:
141+
To verify only Ristretto, you can run the following command (replacing `x.y.z` with the version that you want to check) and check that the displayed keyId matches the public key mentioned above:
121142

122143
`mvn org.simplify4u.plugins:pgpverify-maven-plugin:show -Dartifact=org.leplus:ristretto:x.y.z`
123144

0 commit comments

Comments
 (0)