Skip to main content
The SuprSend Java SDK is signed and checksummed starting from release v0.13.2. Before installing, you can cryptographically confirm that the artifact you are using was built by SuprSend and has not been modified in transit.

Before you begin

The SuprSend Java SDK ships with two independent trust signals:
  • Maven Central GPG signature — every artifact published to Maven Central is signed with SuprSend’s GPG key. Maven Central requires all publishers to sign their artifacts, and the .asc signature file is published alongside every .jar on the Maven Central file server at repo1.maven.org.
  • SHA-256 checksum + GPG signature on checksums.txt — every GitHub release also publishes a checksums.txt listing SHA-256 hashes of all release artifacts, signed with the same GPG key. This mirrors the flow used for the Python SDK and CLI.
Verification below covers both paths. Pick the one that matches where you are consuming the artifact from — Maven Central or GitHub release.

Prerequisites

You need GPG installed. 
brew install gnupg
Confirm it is working: 
gpg --version

Path A — Verify a jar from Maven Central

Use this path if your build tool (Maven/Gradle) resolved the dependency from Maven Central, or if you want to verify a .jar downloaded directly from repo1.maven.org.

Step A1 — Create a working directory

mkdir suprsend-verify && cd suprsend-verify

Step A2 — Download the jar, its signature, and its checksum from Maven Central

Use curl to download directly from the Maven Central file server. Do not download through the Sonatype UI — it does not serve .asc files correctly. 
VERSION="0.13.2"
BASE="https://repo1.maven.org/maven2/com/suprsend/suprsend-java-sdk/${VERSION}"

curl -sL -O "${BASE}/suprsend-java-sdk-${VERSION}.jar"
curl -sL -O "${BASE}/suprsend-java-sdk-${VERSION}.jar.asc"
curl -sL -O "${BASE}/suprsend-java-sdk-${VERSION}.jar.sha256"

Step A3 — Verify the jar checksum against Maven Central

Maven Central publishes its own SHA-256 hash for every artifact independently of SuprSend. Verifying against it confirms the file you downloaded matches what Maven Central is serving — using Maven Central’s infrastructure as the source of truth. 
echo "$(cat suprsend-java-sdk-0.13.2.jar.sha256)  suprsend-java-sdk-0.13.2.jar" | shasum -a 256 --check
Expected output:
suprsend-java-sdk-0.13.2.jar: OK

Step A4 — Import and trust SuprSend’s public key

Download the public key from the SuprSend GitHub release, import it, and mark it as trusted. The second command sets trust non-interactively so the final verify output is clean with no warnings. 
curl -sL -O https://github.com/suprsend/suprsend-java-sdk/releases/download/v0.13.2/public_key.asc
gpg --import public_key.asc
echo "2E736EA7E36AB94C883A490C5261B38640D3A94D:6:" | gpg --import-ownertrust
Expected output: 
gpg: key 5261B38640D3A94D: public key "SuprSend (Maven Signing Key) <nikhilesh@suprsend.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: inserting ownertrust of 6
Always download public_key.asc directly from the official SuprSend Java SDK releases page. Do not copy it from mirrors or third-party sources. Before trusting the key, cross-check the fingerprint 2E736EA7E36AB94C883A490C5261B38640D3A94D against the one published on the releases page.

Step A5 — Verify the GPG signature on the jar

gpg --verify suprsend-java-sdk-0.13.2.jar.asc suprsend-java-sdk-0.13.2.jar
Expected output: 
gpg: Signature made Fri Mar 27 09:14:21 2026 UTC
gpg:                using RSA key 2E736EA7E36AB94C883A490C5261B38640D3A94D
gpg: Good signature from "SuprSend (Maven Signing Key) <nikhilesh@suprsend.com>" [full]
Good signature [full] confirms the .jar was signed by SuprSend’s private key and has not been modified since signing.
If you see BAD signature, do not use this artifact. Re-download both the .jar and .jar.asc using the curl commands in Step A2 and retry. If the failure persists, contact SuprSend support.

Path B — Verify a jar downloaded from GitHub releases

Use this path if you downloaded the .jar from the GitHub releases page and want to verify it against the signed checksums.txt.

Step B1 — Create a working directory

All files must be in the same directory for the checksum step to work. 
mkdir suprsend-verify && cd suprsend-verify

Step B2 — Download the jar and verification files

VERSION="0.13.2"
BASE="https://github.com/suprsend/suprsend-java-sdk/releases/download/v${VERSION}"

curl -sL -O "${BASE}/suprsend-java-sdk-${VERSION}.jar"
curl -sL -O "${BASE}/checksums.txt"
curl -sL -O "${BASE}/checksums.txt.asc"
curl -sL -O "${BASE}/public_key.asc"
At this point your suprsend-verify directory should contain exactly these files: 
suprsend-verify/
├── checksums.txt
├── checksums.txt.asc
├── public_key.asc
└── suprsend-java-sdk-0.13.2.jar
FileDescription
suprsend-java-sdk-0.13.2.jarThe SDK artifact.
checksums.txtSHA-256 hashes of all release artifacts. This is what gets signed.
checksums.txt.ascGPG detached signature over checksums.txt.
public_key.ascSuprSend’s GPG public key. Used to verify the signature.

Step B3 — Import and trust SuprSend’s public key

gpg --import public_key.asc
echo "2E736EA7E36AB94C883A490C5261B38640D3A94D:6:" | gpg --import-ownertrust
Expected output: 
gpg: key 5261B38640D3A94D: public key "SuprSend (Maven Signing Key) <nikhilesh@suprsend.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: inserting ownertrust of 6
Before trusting the key, cross-check the fingerprint 2E736EA7E36AB94C883A490C5261B38640D3A94D against the one published on the SuprSend Java SDK releases page.

Step B4 — Verify the signature on checksums.txt

gpg --verify checksums.txt.asc checksums.txt
Expected output: 
gpg: Signature made ...
gpg:                using RSA key 2E736EA7E36AB94C883A490C5261B38640D3A94D
gpg: Good signature from "SuprSend (Maven Signing Key) <nikhilesh@suprsend.com>" [full]
Good signature [full] confirms checksums.txt was produced by SuprSend’s pipeline and has not been tampered with.
If you see BAD signature, do not proceed. Re-download all files from the same release and retry. If the failure persists, contact SuprSend support.

Step B5 — Verify the jar checksum

grep "suprsend-java-sdk-0.13.2.jar" checksums.txt | shasum -a 256 --check
Expected output:
suprsend-java-sdk-0.13.2.jar: OK

Add the dependency to your project

Once verification passes, add the SDK to your build configuration: 
<dependency>
  <groupId>com.suprsend</groupId>
  <artifactId>suprsend-java-sdk</artifactId>
  <version>0.13.2</version>
</dependency>

Full scripts

Path A — Maven Central

#!/usr/bin/env bash
set -euo pipefail

VERSION="0.13.2"
JAR="suprsend-java-sdk-${VERSION}.jar"
MAVEN_BASE="https://repo1.maven.org/maven2/com/suprsend/suprsend-java-sdk/${VERSION}"
GH_BASE="https://github.com/suprsend/suprsend-java-sdk/releases/download/v${VERSION}"

mkdir suprsend-verify && cd suprsend-verify

echo "-> Downloading jar, signature, and checksum from Maven Central..."
curl -sL -O "${MAVEN_BASE}/${JAR}"
curl -sL -O "${MAVEN_BASE}/${JAR}.asc"
curl -sL -O "${MAVEN_BASE}/${JAR}.sha256"

echo "-> Verifying jar checksum against Maven Central..."
echo "$(cat ${JAR}.sha256)  ${JAR}" | shasum -a 256 --check

echo "-> Importing and trusting public key..."
curl -sL -O "${GH_BASE}/public_key.asc"
gpg --import public_key.asc
echo "2E736EA7E36AB94C883A490C5261B38640D3A94D:6:" | gpg --import-ownertrust

echo "-> Verifying GPG signature on jar..."
gpg --verify "${JAR}.asc" "${JAR}"

echo "Done. SuprSend Java SDK ${VERSION} verified."

Path B — GitHub release

#!/usr/bin/env bash
set -euo pipefail

VERSION="0.13.2"
JAR="suprsend-java-sdk-${VERSION}.jar"
BASE="https://github.com/suprsend/suprsend-java-sdk/releases/download/v${VERSION}"

mkdir suprsend-verify && cd suprsend-verify

echo "-> Downloading jar and verification files..."
curl -sL -O "${BASE}/${JAR}"
curl -sL -O "${BASE}/checksums.txt"
curl -sL -O "${BASE}/checksums.txt.asc"
curl -sL -O "${BASE}/public_key.asc"

echo "-> Importing and trusting public key..."
gpg --import public_key.asc
echo "2E736EA7E36AB94C883A490C5261B38640D3A94D:6:" | gpg --import-ownertrust

echo "-> Verifying signature on checksums.txt..."
gpg --verify checksums.txt.asc checksums.txt

echo "-> Verifying jar checksum..."
grep "${JAR}" checksums.txt | shasum -a 256 --check

echo "Done. SuprSend Java SDK ${VERSION} verified."

Add the dependency to your project

Once verification passes, add the SDK to your build configuration: 
<dependency>
  <groupId>com.suprsend</groupId>
  <artifactId>suprsend-java-sdk</artifactId>
  <version>0.13.2</version>
</dependency>

Reference

ArtifactSourceDescription
suprsend-java-sdk-{version}.jarGitHub / Maven CentralThe SDK jar.
suprsend-java-sdk-{version}.jar.ascMaven CentralGPG detached signature over the jar.
suprsend-java-sdk-{version}.jar.sha256Maven CentralSHA-256 hash of the jar, published by Maven Central.
checksums.txtGitHubSHA-256 hashes of all release artifacts.
checksums.txt.ascGitHubGPG detached signature over checksums.txt.
public_key.ascGitHubSuprSend’s GPG public key.
SuprSend’s GPG signing private key is held exclusively by the automated release pipeline and never leaves the secure signing environment. public_key.asc is the public counterpart — it is published openly with every release and carries no risk of compromise.The key fingerprint is 2E73 6EA7 E36A B94C 883A 490C 5261 B386 40D3 A94D. You can cross-check this against the fingerprint published on the SuprSend Java SDK releases page to independently confirm the key’s authenticity before trusting it.Maven Central independently requires all publishers to sign their artifacts with a GPG key registered with a public keyserver, and publishes its own SHA-256 hash for every artifact. Path A therefore gives you three independent signals: Maven Central’s own checksum, SuprSend’s GPG signature on the jar, and the key fingerprint you can verify out-of-band.
If you encounter an unexpected verification failure, reach out at support@suprsend.com or open an issue on the SuprSend Java SDK GitHub repository.