pub rsa4096 2025-12-22 [SC] [expires: 2028-12-21]
5E386EADB55F01504CAE8BCF7198F4B714ABFC68
uid Jenkins Project <jenkinsci-board@googlegroups.com>
sub rsa4096 2025-12-22 [E] [expires: 2028-12-21]| Jenkins automatically verifies the integrity of Jenkins core updates it downloads from update centers. These instructions apply to manual downloads. |
The long term support Jenkins war files have been signed with the following GPG key since Jenkins 2.541.1:
pub rsa4096 2025-12-22 [SC] [expires: 2028-12-21]
5E386EADB55F01504CAE8BCF7198F4B714ABFC68
uid Jenkins Project <jenkinsci-board@googlegroups.com>
sub rsa4096 2025-12-22 [E] [expires: 2028-12-21]The weekly Jenkins war files have been signed with the same GPG key since Jenkins 2.543 (January 2026).
These signatures can be verified using gpg.
Import the Jenkins GPG public key into your keyring with the command:
curl -S -s https://pkg.jenkins.io/rpm/jenkins.io-2026.key | gpg --import -Download the GPG digital signature file that matches the Jenkins war file. For example, the GPG digital signature file of the latest weekly release can be downloaded with:
curl -L -O https://get.jenkins.io/war/latest/jenkins.war.ascVerify the GPG signature of the downloaded file with gpg --verify.
Expected output of gpg --verify --trust-model direct jenkins.war.asc jenkins.war
gpg: Signature made Tue 07 Apr 2026 12:48:34 AM MDT
gpg: using RSA key 5E386EADB55F01504CAE8BCF7198F4B714ABFC68
gpg: Good signature from "Jenkins Project <jenkinsci-board@googlegroups.com>" [unknown]Releases created before May 2026 were signed by the Jenkins project with a code signing certificate.
These signatures can be verified using jarsigner, a tool included with the Java runtime.
Expected output of jarsigner -verify -verbose jenkins.war:
- Signed by "CN="CDF Binary Project a Series of LF Projects, LLC", O="CDF Binary Project a Series of LF Projects, LLC", L=Wilmington, ST=Delaware, C=US"
Digest algorithm: SHA-256
Signature algorithm: SHA384withRSA, 4096-bit keyReleases created before April 2020 were signed by Kohsuke Kawaguchi with a code signing certificate.
Expected output of jarsigner -verify -verbose jenkins.war:
- Signed by "CN=Infradna Inc (Kohsuke Kawaguchi), O=Infradna Inc (Kohsuke Kawaguchi), STREET=4438 Hilton Ave, L=San Jose, ST=California, OID.2.5.4.17=95130, C=US"
Digest algorithm: SHA-256
Signature algorithm: SHA256withRSA, 2048-bit keyThe SHA-256 checksums of the latest weekly and LTS releases are published on the downloads page next to the respective .war download option. The SHA-1 and SHA-256 checksums of past releases are published here.
Windows MSI Installers are signed with the same code signing certificate as the WAR file.
The Windows Explorer 'Properties' tab shows the signing information for signed MSI files.
Windows warns during installation if the MSI file is not correctly signed.
Windows users can also verify the MSI file signature with the signtool command.
Refer to "How to verify Digital Signatures of programs in Windows" for more details.
The long term support Linux package repositories for Debian/Ubuntu, Red Hat Enterprise Linux (and derivatives), Fedora Linux, and openSUSE have used the following GPG key since Jenkins 2.541.1:
pub rsa4096 2025-12-22 [SC] [expires: 2028-12-21]
5E386EADB55F01504CAE8BCF7198F4B714ABFC68
uid Jenkins Project <jenkinsci-board@googlegroups.com>
sub rsa4096 2025-12-22 [E] [expires: 2028-12-21]The weekly Linux package repositories for Debian/Ubuntu, Red Hat Enterprise Linux (and derivatives), and Fedora Linux have used the same GPG key since Jenkins 2.543 (January 2026).
| Jenkins automatically verifies the integrity of plugins it downloads from update centers. These instructions apply to manual downloads. |
To manually download plugin releases, visit the plugin’s page on the plugin site and select "Releases". That page lists all releases available for download. Click the version number to download that release of the plugin.
The SHA-1 and SHA-256 checksums of the plugin downloads are available from the update center plugin pages. Click the plugin in the list and the resulting page will show the checksums and other information about all its releases.