Provenance

PGP

All release artifacts are signed with PGP. Follow these instructions to verify artifacts against their signatures.

Download the public key. Save it as jreleaser.asc.
Verify the fingerprint matches the following:

$ gpg --show-keys jreleaser.asc
pub   rsa4096 2021-02-10 [SC] [expires: 2031-02-08]
      F1D5F6A91C86B0702CD0734BCCC55C5167419ADB
uid                      Andres Almiray &lt;aalmiray@********.com&gt;
sub   rsa4096 2021-02-10 [E] [expires: 2031-02-08]

Import the key with gpg --import jreleaser.asc.
Verify the chosen artifact with:

$ gpg --verify jreleaser-1.12.0.zip.asc jreleaser-1.12.0.zip
gpg: Signature made Tue Dec 13 06:51:49 2022 CET
gpg:                using RSA key CCC55C5167419ADB
gpg: Good signature from "Andres Almiray &lt;aalmiray@********.com&gt;" [ultimate]

SLSA

Starting with v1.4.0 JReleaser provides SLSA provenance for all release artifacts. Follow these instructions to verify artifacts.

Install or build the slsa-verifier binary.
Download jreleaser-all-1.12.0.intoto.jsonl.
Download the binary or binary files you’d like to verify.
Run the verifier against the binary. For example:

$ slsa-verifier verify-artifact jreleaser-1.12.0.zip \
   --provenance-path jreleaser-all-1.12.0.intoto.jsonl \
   --source-uri github.com/jreleaser/jreleaser
Verified signature against tlog entry index 8865454 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77acceaa92d35076867e961260048db8f9ee7726329e5a14ae3a6cfd678aeacad11
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.4.0 at commit caa516c7c52ca72a352f97e4153334080f8b7f43
PASSED: Verified SLSA provenance