Skip to main content
Version: 1.1

Validating ORAS CLI Binaries

After finding your target release, you may find the releaser's information under the notes section.

The following commands can be used to verify the ORAS CLI binaries using GPG:

Step 1:

First, we import the releaser's GPG Key which can be used for verification (here we have imported Billy Zha's key):

$ curl -sSL https://github.com/qweeah.gpg | gpg --import -

You can find the GPG keys which have been used for ORAS releases.

Step 2:

You can run the following command to check if the key has been imported:

$ gpg --list-keys
pub rsa4096 2023-02-28 [SC] [expires: 2024-02-28]
BE6FA8DDA48D4C230091A0A9276D8A724CE1C704
uid [ unknown] Billy Zha <jinzha1@microsoft.com>

Step 3:

Verify our binaries using the command:

$ gpg --verify oras_1.0.0_linux_amd64.tar.gz.asc oras_1.0.0_linux_amd64.tar.gz
gpg: Signature made Mon Mar 20 15:51:28 2023 IST
gpg: using RSA key BE6FA8DDA48D4C230091A0A9276D8A724CE1C704
gpg: Good signature from "Billy Zha <jinzha1@microsoft.com>" [unknown]