Retrieve the public pgp key of a Maven hosted library

Question

I've been trying to figure out how to retrieve the public facing PGP key of libraries hosted on Maven repositories (for instance MavenCentral and Google's mirrors).

Is there a way that these keys can be retrieved through a url in some way?

Answer 1

The public key for the GPG signatures is searchable using the ASC signature file. You can retrieve the public key from a key server using gpg. Use one of the servers in the list:

hkps://keys.openpgp.org, hkps://keyserver.ubuntu.com, hkps://pgp.mit.edu, hkps://pgp.surf.nl

For example, for the Saxon HE Saxon-HE-12.5-javadoc.jar artifact:

1. Retrieve the Public Key: You can use the gpg --list-packets command to inspect the contents of an ASC signature file and find the public signing key's fingerprint. For example:

   curl https://repo1.maven.org/maven2/net/sf/saxon/Saxon-HE/12.5/Saxon-HE-12.5-javadoc.jar.asc | gpg --list-packets
   

2. Check if the Key is Stored Locally: Use the gpg --list-keys command to check if a public key is stored locally by searching for the key ID:

   gpg --list-keys A929EA2321FDBF8F  # Use keyid from previous step
   

3. Retrieve the Key from a Key Server: If the key is not stored locally, you can retrieve it from a key server using on of the servers in the list:

   gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys A929EA2321FDBF8F  
   

4. Manually Import the Key: If the key server retrieval fails, you can manually import the public key by saving the key block to a file and using:

   curl -0 "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x4c5f68d09d42ba7fac888df9a929ea2321fdbf8f" -o 4C5F68D09D42BA7FAC888DF9A929EA2321FDBF8F.asc
   gpg --import 4C5F68D09D42BA7FAC888DF9A929EA2321FDBF8F.asc # <key-file.asc>
   

This approach ensures that you can verify the signatures of libraries hosted on Maven repositories, even if the public keys are not readily available.