Verifying Downloads

Verifying Jenkins Downloads

Jenkins automatically verifies the integrity of Jenkins core updates it downloads from update centers. These instructions apply to manual downloads.

WAR File Verification

The Jenkins war file (2.232 and newer, LTS 2.235.3 and newer) are signed by the Jenkins project. These signatures can be verified using jarsigner, a tool included with the Java runtime. Expected output of jarsigner -verify -verbose jenkins.war:

- Signed by "CN="CDF Binary Project a Series of LF Projects, LLC", O="CDF Binary Project a Series of LF Projects, LLC", L=Wilmington, ST=Delaware, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key

Earlier releases were created and signed by Kohsuke Kawaguchi. Expected output of jarsigner -verify -verbose jenkins.war:

- Signed by "CN=Infradna Inc (Kohsuke Kawaguchi), O=Infradna Inc (Kohsuke Kawaguchi), STREET=4438 Hilton Ave, L=San Jose, ST=California, OID.2.5.4.17=95130, C=US"
    Digest algorithm: SHA-256
    Signature algorithm: SHA256withRSA, 2048-bit key

The SHA-256 checksums of the latest weekly and LTS releases are published on the downloads page next to the respective .war download option. The SHA-1 and SHA-256 checksums of past releases are published here.

Windows MSI Installers

Windows MSI Installers are signed with the same code signing certificate as the WAR file.

The Windows Explorer 'Properties' tab shows the signing information for signed MSI files. Windows warns during installation if the MSI file is not correctly signed. Windows users can also verify the MSI file signature with the signtool command. Refer to "How to verify Digital Signatures of programs in Windows" for more details.

Linux Package Repositories

The long term support Linux package repositories for Debian/Ubuntu, Red Hat Enterprise Linux (and derivatives), and Fedora Linux have used the following GPG key since Jenkins 2.387.2:

pub   rsa4096 2023-03-27 [SC] [expires: 2026-03-26]
      63667EE74BBA1F0A08A698725BA31D57EF5975CA
uid                      Jenkins Project <jenkinsci-board@googlegroups.com>
sub   rsa4096 2023-03-27 [E] [expires: 2026-03-26]

The weekly Linux package repositories for Debian/Ubuntu, Red Hat Enterprise Linux (and derivatives), and Fedora Linux have used the same GPG key since Jenkins 2.397 (March 2023).

Verifying Plugin Downloads

Jenkins automatically verifies the integrity of plugins it downloads from update centers. These instructions apply to manual downloads.

To manually download plugin releases, visit the plugin’s page on the plugin site and select "Releases". That page lists all releases available for download. Click the version number to download that release of the plugin.

The SHA-1 and SHA-256 checksums of the plugin downloads are available from the update center plugin pages. Click the plugin in the list and the resulting page will show the checksums and other information about all its releases.