Version: 1.1

Validating ORAS CLI Binaries

After finding your target release, you may find the releaser's information under the notes section.

The following commands can be used to verify the ORAS CLI binaries using GPG:

Step 1:

First, we import the releasers' GPG Keys which can be used for verification:

$ curl -sSL https://raw.githubusercontent.com/oras-project/oras/refs/heads/main/KEYS | gpg --import -

The GPG keys file contains the keys which have been used for ORAS releases.

Step 2:

You can run the following command to check if the key has been imported. Your output will look something like:

$ gpg --list-keys
pub   rsa4096 2023-02-28 [SC] [expires: 2024-02-28]
      BE6FA8DDA48D4C230091A0A9276D8A724CE1C704
uid           [ unknown] Billy Zha <jinzha1@microsoft.com>
pub   rsa4096 2024-12-04 [SC] [expires: 2025-12-04]
      73C7F42E8F0B4493115ABED64F723223E9DF0185
uid           [ unknown] Shiwei Zhang <shizh@microsoft.com>

Step 3:

Verify our binaries using the command:

$ gpg --verify oras_1.0.0_linux_amd64.tar.gz.asc oras_1.0.0_linux_amd64.tar.gz
gpg: Signature made Mon Mar 20 15:51:28 2023 IST
gpg:                using RSA key BE6FA8DDA48D4C230091A0A9276D8A724CE1C704
gpg: Good signature from "Billy Zha <jinzha1@microsoft.com>" [unknown]

Step 1:​

Step 2:​

Step 3:​

We are a Cloud Native Computing Foundation Sandbox Project.

Step 1:

Step 2:

Step 3: