Verifying Downloads

Verifying Jenkins Downloads

Jenkins automatically verifies the integrity of Jenkins core updates it downloads from update centers. These instructions apply to manual downloads.

WAR File Verification

The Jenkins war file (2.232 and newer, LTS 2.235.3 and newer) are signed by the Jenkins project. These signatures can be verified using jarsigner, a tool included with the Java runtime. Expected output of jarsigner -verify -verbose jenkins.war:

- Signed by "CN="CDF Binary Project a Series of LF Projects, LLC", OU=Jenkins Project, O="CDF Binary Project a Series of LF Projects, LLC", L=Dover, ST=Delaware, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 4096-bit key

Earlier releases were created and signed by Kohsuke Kawaguchi. Expected output of jarsigner -verify -verbose jenkins.war:

- Signed by "CN=Infradna Inc (Kohsuke Kawaguchi), O=Infradna Inc (Kohsuke Kawaguchi), STREET=4438 Hilton Ave, L=San Jose, ST=California, OID.2.5.4.17=95130, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key

The SHA-256 checksums of the latest weekly and LTS releases are published on the downloads page next to the respective .war download option. The SHA-1 and SHA-256 checksums of past releases are published here.

Windows MSI Installers

Windows MSI Installers are signed with the same code signing certificate as the WAR file.

The Windows Explorer 'Properties' tab shows the signing information for signed MSI files. Windows warns during installation if the MSI file is not correctly signed. Windows users can also verify the MSI file signature with the signtool command. Refer to "How to verify Digital Signatures of programs in Windows" for more details.

Linux Package Repositories

The long term support Linux package repositories for Debian/Ubuntu and Red Hat/CentOS have used the following GPG key since Jenkins 2.235.3:

pub   rsa4096 2020-03-30 [SC] [expires: 2023-03-30]
      62A9756BFD780C377CF24BA8FCEF32E745F2C3D5
uid                      Jenkins Project <jenkinsci-board@googlegroups.com>
sub   rsa4096 2020-03-30 [E] [expires: 2023-03-30]

The weekly Linux package repositories for Debian/Ubuntu and Red Hat/CentOS have used the same GPG key since Jenkins 2.232 (April 2020).

Verifying Plugin Downloads

Jenkins automatically verifies the integrity of plugins it downloads from update centers. These instructions apply to manual downloads.

To manually download plugin releases, visit the plugin’s page on the plugin site and select "Archives". That page will list all releases available for download as well as their SHA-1 and SHA-256 checksums.