Downloads

All Apache Cordova packages are published to the npmjs registry for convenience. Source downloads are also available, allowing you to create and use custom consumable packages.

Below is a link to all Apache Cordova packages from our download server. You must verify the integrity of the downloaded files using the signatures downloaded from our distribution directory. The signatures can be verified with our KEYS file.

The distribution directory will only provide our current recommended releases while you are able to retrieve the older, historical, versions from the archive download site.

Package List

cordova-common@6.0.0

cordova-create@6.0.0

cordova-eslint@6.0.1

cordova-fetch@5.0.0

cordova-js@6.1.0

cordova-lib@13.0.0

cordova-serve@4.0.1

cordova-plugman@3.0.1

cordova-node-xcode@3.0.1

cordova-app-hello-world@7.0.0

cordova-android@14.0.1

cordova-browser@7.0.0

cordova-electron@4.0.0

cordova-ios@8.0.0

cordova-plugin-battery-status@2.0.3

cordova-plugin-camera@7.0.0

cordova-plugin-device-motion@1.0.0.

cordova-plugin-device-orientation@3.0.0

cordova-plugin-device@3.0.0

cordova-plugin-dialogs@8.1.3

cordova-plugin-file-transfer@2.0.0

cordova-plugin-file@1.0.0

cordova-plugin-geolocation@4.1.0

cordova-plugin-inappbrowser@6.0.0

cordova-plugin-media-capture@6.0.0

cordova-plugin-media@7.0.0

cordova-plugin-network-information@3.0.0

cordova-plugin-screen-orientation@3.0.4

cordova-plugin-splashscreen@6.0.2

cordova-plugin-statusbar@4.0.0

cordova-plugin-vibration@3.1.1

cordova-plugin-test-framework@1.1.6

Verifying Package Integrity

To verify package integrity, tools capable of performing GPG signature verification and SHA-512 checksum validation are required. Some operating systems include these tools by default, while others may require additional setup.

Linux:

These tools are typically available by default. If they are missing, they can usually be installed via the system package manager (such as apt, dnf, pacman, or yum). For GPG, the package name is typically gnupg.

macOS:

Homebrew can be used to install the required tools. The gpg command is provided by the Homebrew package gnupg, and the sha512sum command is provided by coreutils.

Windows:

The gpg and sha512sum commands are not provided by default and must be installed separately.

One of the simplest ways to obtain both tools is by installing Git for Windows, which typically includes Git Bash along with several useful binaries such as gpg and sha512sum.

When Git for Windows is installed, these binaries can also be made available in Command Prompt or PowerShell by configuring the system PATH environment variable to point to the Git usr\bin directory. By default, this directory is typically located at C:\Program Files\Git\usr\bin, though the exact path may vary depending on the installation.

For SHA-512 checksum verification, Windows users can alternatively use the built-in certutil command.

1. Import the Apache Cordova Public Keys

The KEYS file contains all of the known developer's public keys that are used for signing official releases. It is recommended to import these keys into your local GPG keyring.

Download the KEYS file from the official Apache Downloads directory then run:

gpg --import KEYS

To list the imported keys:

gpg --list-keys

2. Verify the SHA-512 Checksum

Note

In the steps below, the file name file.tgz.sha512 and file.tgz are used as a placeholder and should be replaced with the name of the actual files that were downloaded. The exact file names will vary depending on the selected package.

Use the provided checksum file to confirm that the downloaded package matches the official release:

sha512sum -c file.tgz.sha512

If the package is valid, you should see:

file.tgz: OK

Note

Windows environment can alternatively verify the the SHA-512 checksum with the following command:

certutil -hashfile C:\path\to\file.tgz {SHA512}

Replace {SHA512} with the SHA512 string.

(Optional) If you want to manually double-check, you may generate your own checksum:

sha512sum file.tgz

After generating your own checksum, compare it against the authoritative checksum, file.tgz.sha512, to confirm that they match.

Tip

Generating your own checksum is useful for confirming the file was downloaded correctly. The authoritative checksum is the one we provide.

3. Verify the GPG Signature

Note

In the steps below, the file name file.tgz.asc and file.tgz are used as a placeholder and should be replaced with the name of the actual files that were downloaded. The exact file names will vary depending on the selected package.

Use the .asc signature file to confirm that the tarball was signed by an authorized Apache Cordova developer.

Run:

gpg --verify file.tgz.asc file.tgz

If the signature is valid and the signer's public key exists in your keyring, you'll see output similar to:

gpg: Good signature from "Developer Name <dev@example.org>"

If GPG warns about trust levels, this is normal unless you manually set owner trust. What matters is that the signature matches a key from the official KEYS file.

Building from Sources

After downloading one of the source packages from the list above and completing the steps in Verifying Package Integrity, follow these steps:

  1. Extract the package contents.
  2. Change your working directory to the root of the extracted contents.
  3. Run npm install to install the package dependencies.
  4. Run npm update to update sub-dependencies, as the package-lock.json may become stale over time.
  5. Run npm pack to generate the consumable tarball.

This will create a .tgz package file, which you can install into your project using:

npm install /path/to/the/newly/created/file.tgz