Download

Apache Pekko™ releases are available under the Apache License, Version 2.0. See the NOTICE file contained in each release artifact for applicable copyright attribution notices.

To ensure that you have downloaded the true release, you should verify the integrity of the files using the signatures and checksums available from this page.

Jars

We publish jars to Maven Central with the groupId org.apache.pekko (list). These jars relate to the source downloads you find linked below.

Pekko Core

Pekko HTTP

Pekko gRPC

Pekko Management

There is also a milestone release. This release should not be used in production.

Pekko Connectors

There is also a milestone release. This release should not be used in production.

Pekko Connectors Kafka

Pekko Persistence Cassandra

There is also a milestone release. This release should not be used in production.

Pekko Persistence DynamoDB

Pekko Persistence JDBC

Pekko Persistence R2DBC

Pekko Projection

There is also a milestone release. This release should not be used in production.

Pekko SBT Paradox

Archives

Older releases can be found at:

Verifying Downloads

It is highly recommended that you verify the files that you download.

We provide SHA digest files for all the files that we host on the download site. These files are named after the files they relate to but have .sha512 extensions.

We also provide PGP signature files that can be verified using PGP or GPG. These files are named after the files they relate to but have .asc.

Verifying Checksums

To verify the SHA digests, you need the .tgz and its associated .tgz.sha512 file. An example command:

sha512sum -c apache-pekko-sbt-paradox-1.0.1-incubating-src-20240305.tgz.sha512

Returns:

apache-pekko-sbt-paradox-1.0.1-incubating-src-20240305.tgz: OK

Verifying Signatures

To verify the PGP signatures, you will need to get the KEYS file. This will be in the source archive or can be fetched from https://downloads.apache.org/pekko/KEYS.

gpg --import KEYS

To verify the SHA digests, you need the .tgz and its associated .tgz.asc file. An example command:

gpg --verify apache-pekko-sbt-paradox-1.0.1-incubating-src-20240305.tgz.asc apache-pekko-sbt-paradox-1.0.1-incubating-src-20240305.tgz

Returns:

gpg: Signature made Tue  5 Mar 11:36:27 2024 CET
gpg:                using RSA key 3FD458B4420059F1F97C2563F6A21ED3A05F7F7B
gpg: Good signature from "Matthew de Detrich (CODE SIGNING KEY) <mdedetrich@apache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FD4 58B4 4200 59F1 F97C  2563 F6A2 1ED3 A05F 7F7B

You should also verify the key using a command like:

% gpg --fingerprint 3FD458B4420059F1F97C2563F6A21ED3A05F7F7B
pub   rsa4096 2023-06-16 [SC]
      3FD4 58B4 4200 59F1 F97C  2563 F6A2 1ED3 A05F 7F7B
uid           [ unknown] Matthew de Detrich (CODE SIGNING KEY) <mdedetrich@apache.org>
sub   rsa4096 2023-06-16 [E]
sub   rsa4096 2023-06-16 [A]