Apache Pekko releases are available under the Apache License, Version 2.0. See the NOTICE file contained in each release artifact for applicable copyright attribution notices.

To ensure that you have downloaded the true release, you should verify the integrity of the files using the signatures and checksums available from this page.


We publish jars to Maven Central with the groupId org.apache.pekko (list). These jars relate to the source downloads you find linked below.

Pekko Core

Pekko HTTP

Pekko gRPC

Pekko Management

Pekko Connectors

Pekko Connectors Kafka

Pekko Persistence JDBC

Pekko SBT Paradox


Older releases can be found at

Verifying Downloads

It is highly recommended that you verify the files that you download.

We provide SHA digest files for all the files that we host on the download site. These files are named after the files they relate to but have .sha512 extensions.

We also provide PGP signature files that can be verified using PGP or GPG. These files are named after the files they relate to but have .asc.

To verify the SHA digests, use:

find . -name "*.sha512" -type f -execdir sha512sum -c {} \;

To verify the PGP signatures, you will need to get the KEYS file. This will be in the source archive or can be fetched from

gpg --import KEYS

To verify the download files, run:

find . -name "*.asc" -exec gpg --no-secmem-warning --verify {} \;