Fork me on GitHub


This plugin allow you to automatically verify PGP signature of all project dependency.


  • check signature of artifacts during each build, not only during artifact download from the remote repository to local
  • possibility to map pgp key fingerprint to artifacts, so we can detect if correct key is used for making signature
  • possibility to check signature of maven plugins used during build
  • there is no external software need to install - plugin use Bouncy Castle library to manage pgp operations
  • works on many operating system and jdk versions - confirmed by CI builds - Linux, Windows, Mac OS, JDK 8, 11, 14


You can try it by running in your project directory:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check

More examples of usage


Issues, bugs, new feature requests, questions can be submitted to issue management system.

If you need help don’t hesitate to create new issue.