Verify the integrity of the Liquibase distribution checksum
Last updated: June 9, 2026
The Liquibase distribution checksum archives are GPG-signed and include SHA256, MD5, and SHA1 checksum files. Use these artifacts to confirm that a download is authentic and has not been modified in transit.
Before you begin
GnuPG (
gpg) is available on your system.
Procedure
Locate the checksum files
Signature and checksum release assets are available in the Liquibase Secure download under the /vex folder as .asc, .sha256, .md5, and .sha1 files.
https://repo.liquibase.com/releases/secure/5.2/
Import the Liquibase GPG Public Key
Import the Liquibase signing key from a public keyserver. The key is registered under devops@liquibase.com with fingerprint A1DD405BE11C10B68642177F9CB34520F4F52C15.
gpg --keyserver keyserver.ubuntu.com --recv-keys A1DD405BE11C10B68642177F9CB34520F4F52C15Verify the GPG Signature
Verify the detached .asc signature against the archive you downloaded.
Be sure to:
Replace
your_versionwith the Liquibase version number. For example,4.29.0,4.30.1
gpg --verify liquibase-your_version.zip.asc liquibase-your_version.zipA successful verification outputs: Good signature from "Liquibase <devops@liquibase.com>".
To verify a TAR.GZ archive, use liquibase-your_version.tar.gz.asc and liquibase-your_version.tar.gz instead.
Verify Checksums
Confirm the archive is intact using the provided checksum files.
Be sure to:
Replace
your_versionwith the Liquibase version number. For example,4.29.0,4.30.1
sha256sum -c liquibase-your_version.zip.sha256md5sum -c liquibase-your_version.zip.md5sha1sum -c liquibase-your_version.zip.sha1A successful verification reports OK for each command.