Verify the Authenticity of Java Artifacts

Veracode APIs

Each Java artifact is associated with an ASC signature file for verifying that the publication source is Veracode. You can download the ASC file for the appropriate version of the Java wrapper here.

You have installed a GNU Privacy Guard (GPG) utility, such as GnuPG.

To verify that the publication source of Java artifacts is Veracode:

  1. Download the Veracode public key from a public keyserver (such as pgp.mit.edu) using the key ID 0x63003CB3. For example:
    gpg --keyserver pgp.mit.edu --recv-key 0x63003CB3
  2. Verify the signature of an artifact. The following example is verifying the signature of the vosp-api-wrapper-java-17.10.4.8.jar (assuming it is in the same directory as the ASC file):
    gpg --verify vosp-api-wrapper-java-17.10.4.8.jar.asc
    The following output tells you that the Veracode public key is not trusted locally:
    gpg: Signature made 11/02/17 14:49:01 Eastern Daylight Time
    gpg:                using RSA key E1AE087F8B51E8F322513009A0D8098560410C91
    gpg: Good signature from "Veracode" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 130D 4190 4800 95BD 01F5  F130 235A 4AC4 6300 3CB3
        Subkey fingerprint: E1AE 087F 8B51 E8F3 2251  3009 A0D8 0985 6041 0C91
    You can trust the Veracode public key and verify the signature of more artifacts, but Veracode recommends that you always compare the fingerprints from the output to the following fingerprints to ensure the signature is not forged.
    pub   rsa2048 2017-11-02 [expires: 2020-11-01]
          130D 4190 4800 95BD 01F5  F130 235A 4AC4 6300 3CB3
    uid           Veracode
    sub   rsa2048 2017-11-02 [expires: 2020-11-01]
          E1AE 087F 8B51 E8F3 2251  3009 A0D8 0985 6041 0C91