Stay organized with collections
Save and categorize content based on your preferences.
Assured Open Source Software provides you with packages, package metadata, and
utility scripts. Each Assured OSS package is signed using a
separate Google-issued certificate which uses ECDSA P256 algorithm for key
generation. Each package metadata and utility script is also signed using a
single Google-issued certificate which uses ECDSA P256 algorithm for key
generation. These certificates are issued using Certificate Authority Service and the
corresponding public root certificate can be found in a Cloud Storage bucket.
To verify the authenticity and integrity of open source software packages,
install the aoss-verifier
tool.
To verify a package, pass the LANGUAGE,
PACKAGE_ID, and VERSION values and the
PATH_TO_DATA_FILE that you want to verify using the
--language, --package_id, --version, and --artifact_path flags.
LANGUAGE: The package language. The value must
be in lowercase.
PACKAGE_ID: For Java, the format is
groupId:artifactId. For Python, the format is
packageName. The value must be in lowercase.
VERSION: The version of the package.
ARTIFACT_PATH: The path to the data file in your
local directory that you want to verify. Use the following filename
extensions:
jar file extension for a Java package
whl file extension for a Python package
Verify signatures manually
To verify the signatures manually, do the following:
Install Google Cloud CLI and the OpenSSL software, version 3.0.1 or higher.
Verify the digest.
Identify the hashing algorithm. The digest.txt file contains the hashing
algorithm used to calculate the digest. Identify the hashing algorithm using
the following command:
cut -d ':' -f1 digest.txt
Make sure that the output is SHA256.
Calculate digest of the data file. You can calculate digest of the data file
by using various command line tools depending on the hash algorithm used. For
Assured OSS data files and scripts, use the SHA-256 hash
algorithm to generate the digest.
On Linux, use the following command to calculate the hash:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAssured Open Source Software (OSS) packages, metadata, and utility scripts are signed with Google-issued certificates using the ECDSA P256 algorithm.\u003c/p\u003e\n"],["\u003cp\u003eSignatures are stored in a \u003ccode\u003esignature.zip\u003c/code\u003e file, which includes \u003ccode\u003edigest.txt\u003c/code\u003e, \u003ccode\u003esignature.txt\u003c/code\u003e, \u003ccode\u003ecert.pem\u003c/code\u003e, and \u003ccode\u003ecertChain.pem\u003c/code\u003e files for verification.\u003c/p\u003e\n"],["\u003cp\u003eYou can verify the authenticity and integrity of OSS packages using the \u003ccode\u003eaoss-verifier\u003c/code\u003e tool, manually through command-line steps, or via a provided verification script.\u003c/p\u003e\n"],["\u003cp\u003eManual signature verification involves comparing the calculated digest of the data file with the one provided, verifying the signature using OpenSSL, and validating the certificate.\u003c/p\u003e\n"],["\u003cp\u003eThe verification script can be used to verify signatures by providing the data file path, signature zip file URL, and root certificate URL, and it will output whether signature and certificate verification is successful.\u003c/p\u003e\n"]]],[],null,["# Overview of Assured OSS artifact signature\n\nAssured Open Source Software provides you with packages, package metadata, and\nutility scripts. Each Assured OSS package is signed using a\nseparate Google-issued certificate which uses ECDSA P256 algorithm for key\ngeneration. Each package metadata and utility script is also signed using a\nsingle Google-issued certificate which uses ECDSA P256 algorithm for key\ngeneration. These certificates are issued using Certificate Authority Service and the\ncorresponding public root certificate can be found [in a Cloud Storage bucket](http://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt).\n\nThis document applies to the free tier. For information about signatures in the\npremium tier, see [Access security metadata and verify\npackages](/security-command-center/docs/aoss-access-security-metadata).\n\nOverview of signatures\n----------------------\n\nSignatures are stored in a `signature.zip` file. The `signature.zip` file\ncontains the following files:\n\n- `digest.txt`: This file stores the hashing algorithm along with the package\n digest in a hex-encoded format. See the following example:\n\n SHA-256:c5feab6f4de0878e94cf2a3074039b4f16a0c93a03501f047ee6eea29a8e33e0`.\n\n- `signature.txt`: This file stores the signature algorithm along with the\n hex-encoded signature. See the following example:\n\n ECDSAP256_DER:30450220585d2a01f20de98dfe6cfab2c01a8f11787dbafbc6541304d23cc582e61be016022100f05a19f5ce473144579dfefc47905fd650584a1c7a31bd9d5bf93ecce739a7cb`\n\n- `cert.pem`: This file stores the public certificate.\n\n- `certChain.pem`: This file stores the certificate chain for the public\n certificate.\n\nVerification of signatures\n--------------------------\n\nYou can verify signatures using either of the following:\n\n- [aoss-verifier](https://github.com/google/aoss-verifier) tool\n- manually\n- verification script\n\n### Verify signatures using `aoss-verifier` tool\n\n1. To verify the authenticity and integrity of open source software packages,\n install the [aoss-verifier](https://github.com/google/aoss-verifier)\n tool.\n\n2. To verify a package, pass the \u003cvar translate=\"no\"\u003eLANGUAGE\u003c/var\u003e,\n \u003cvar translate=\"no\"\u003ePACKAGE_ID\u003c/var\u003e, and \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e values and the\n \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e that you want to verify using the\n `--language`, `--package_id`, `--version`, and `--artifact_path` flags.\n\n aoss-verifier verify-package \\\n --language \u003cvar translate=\"no\"\u003eLANGUAGE\u003c/var\u003e \\\n --package_id \u003cvar translate=\"no\"\u003ePACKAGE_ID\u003c/var\u003e \\\n --version \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e \\\n --artifact_path \u003cvar translate=\"no\"\u003eARTIFACT_PATH\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eLANGUAGE\u003c/var\u003e: The package language. The value must be in lowercase.\n - \u003cvar translate=\"no\"\u003ePACKAGE_ID\u003c/var\u003e: For Java, the format is \u003cvar translate=\"no\"\u003egroupId:artifactId\u003c/var\u003e. For Python, the format is \u003cvar translate=\"no\"\u003epackageName\u003c/var\u003e. The value must be in lowercase.\n - \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e: The version of the package.\n - \u003cvar translate=\"no\"\u003eARTIFACT_PATH\u003c/var\u003e: The path to the data file in your local directory that you want to verify. Use the following filename extensions:\n - `jar` file extension for a Java package\n - `whl` file extension for a Python package\n\n### Verify signatures manually\n\nTo verify the signatures manually, do the following:\n\n1. Install Google Cloud CLI and the OpenSSL software, version 3.0.1 or higher.\n\n2. Verify the digest.\n\n 1. Identify the hashing algorithm. The `digest.txt` file contains the hashing\n algorithm used to calculate the digest. Identify the hashing algorithm using\n the following command:\n\n cut -d ':' -f1 digest.txt\n\n Make sure that the output is `SHA256`.\n 2. Calculate digest of the data file. You can calculate digest of the data file\n by using various command line tools depending on the hash algorithm used. For\n Assured OSS data files and scripts, use the SHA-256 hash\n algorithm to generate the digest.\n\n On Linux, use the following command to calculate the hash: \n\n sha256sum \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e | cut -d ' ' -f1 \u003e datadigest.txt\n\n For package verification, replace \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e with\n the path to the package in your local directory for package verification.\n\n For metadata verification, replace \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e with\n the metadata filename. For example, `buildInfo.json`, `vexInfo.json` or\n `healthInfo.json`.\n\n On macOS, use the following command: \n\n shasum -a 256 \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e | cut -d ' ' -f1 \u003e datadigest.txt\n\n 3. Extract hash from the `digest.txt` file using the following command:\n\n cut -d ':' -f2 digest.txt \u003e signaturedigest.txt\n\n 4. Compare the two digests using the following command:\n\n diff datadigest.txt signaturedigest.txt\n\n If there is no difference, then there will be no output.\n3. Verify the signature\n\n 1. Obtain a public key from `cert.pem` using the following command:\n\n openssl x509 -pubkey -noout -in cert.pem \u003e pubkey.pem\n\n 2. Extract the signature in binary format using the following command\n (install `xxd` command if it isn't present):\n\n cut -d ':' -f2 signature.txt | xxd -r -p \u003e sig.sig\n\n 3. Extract the digest in binary format using the following command:\n\n cut -d ':' -f2 digest.txt | xxd -r -p \u003e digest.bin\n\n 4. Verify the signature using one of the following commands:\n\n Option 1 \n\n openssl pkeyutl -in digest.bin -inkey pubkey.pem -pubin -verify -sigfile sig.sig\n\n The command returns the following output:\n\n `Signature Verified Successfully`\n\n Option 2 \n\n openssl dgst -sha256 -verify pubkey.pem -signature sig.sig \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e with the path to the data file\n in your local directory.\n\n The command returns the following output:\n\n `Verified OK`\n4. Verify the certificate\n\n To verify the certificate, run the following command: \n\n openssl verify -verbose -CAfile ca.crt -untrusted certChain.pem cert.pem\n\n The `ca.cert` is the root certificate that can be download using this command: \n\n curl -o PATH_TO_LOCAL_STORE https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt\n\n The following output is returned upon success:\n\n `cert.pem: OK`\n\n### Verify signatures using a script\n\nTo use a verification script to verify signatures, follow these steps:\n\n1. Download the verification script.\n\n 1. [Set up authentication](/assured-open-source-software/docs/validate-connection#set_up_authentication) using Application Default Credentials (ADC).\n\n 2. Download the `signatureverification.sh`, `README.md` and the `signature.zip`\n for the verification script using the following command:\n\n gcloud storage cp \"gs://cloud-aoss/utils/signature-verification/v1.0\" \u003cvar translate=\"no\"\u003ePATH_TO_LOCAL_STORE\u003c/var\u003e --recursive\n\n Replace \u003cvar translate=\"no\"\u003ePATH_TO_LOCAL_STORE\u003c/var\u003e with the local path where you\n want to download the file.\n\n You can also [perform utility script verification](/assured-open-source-software/docs/verify-packages#utility-script-verification) using the verification script.\n2. Execute the script using the following steps:\n\n 1. Install Google Cloud CLI and the OpenSSL software, version 3.0.1 or higher.\n\n 2. Authenticate with the service account that has permission to access\n Assured OSS.\n\n 3. Grant the required permissions to execute the script using the following\n command:\n\n chmod +x signatureverification.sh\n\n 4. Execute the script using the following command if you haven't downloaded the\n `signature.zip` file:\n\n ./signatureverification.sh --data_file_path \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e \\\n --signature_url \u003cvar translate=\"no\"\u003eSIGNATURE_ZIP_URL\u003c/var\u003e \\\n --root_cert_url \u003cvar translate=\"no\"\u003eROOT_CERT_URL\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePATH_TO_DATA_FILE\u003c/var\u003e: the path to the data file in your local directory that you want to verify\n - \u003cvar translate=\"no\"\u003eSIGNATURE_ZIP_URL\u003c/var\u003e: the URL of the signature zip file\n - \u003cvar translate=\"no\"\u003eROOT_CERT_URL\u003c/var\u003e: the public root certificate URL\n\n**Sample output**\n\nThe following output indicates that the verification script has run successfully.\n\n`Signature verification successful`\n\n`Certificate verification successful`\n\nWhat's next\n-----------\n\n- [Verify signatures](/assured-open-source-software/docs/verify-packages)\n- [Verify the build provenance](/assured-open-source-software/docs/verify-build-provenance)\n- [Learn about protecting your software supply chain](/software-supply-chain-security/docs/overview)"]]
