There are several ways you can obtain the PDFBox binaries or sources:

See also the export control information related to the encryption features included in Apache PDFBox.

PDFBox 1.8.7

Apache PDFBox is an open source Java library for working with PDF documents.

  • 10.3MB, source archive, [ PGP signature ]
    SHA1 checksum: ba7f83a1db9e697bcd0d3613571e1b397968daf6
    MD5 checksum: d37651d71f5814133a05b1fc229ae6d6
  • pdfbox-app-1.8.7.jar 10.6MB, pre-built PDFBox standalone binary, [ PGP signature ]
    SHA1 checksum: d5bbc61c7727bf0d3f87d4acd80f8916e834d2c4
    MD5 checksum: 2553e072fe14787c5c03973d6cd6bcc8
  • preflight-app-1.8.7.jar 7.1MB, pre-built Preflight standalone binary, [ PGP signature ]
    SHA1 checksum: 39e3114eb1ab9bddadca1883ba5512aad3f4577a
    MD5 checksum: a3d212b3a90ad33d778d0de3cf8a86ba
  • pdfbox-1.8.7.jar 4.1MB, pre-built binary, [ PGP signature ]
    SHA1 checksum: 1f149ab0d354095ec4ae18d9fdb2373c3348b11b
    MD5 checksum: c0a8c489b714d4e53be0c1e4d39aaa5c
  • fontbox-1.8.7.jar 218KB, pre-built binary, [ PGP signature ]
    SHA1 checksum: 58a9aef97730a0b0a3c1a55ffeaecd1d737d942b
    MD5 checksum: 117af3012baed02f87663ee939fdfeb4
  • jempbox-1.8.7.jar 51KB, pre-built binary, [ PGP signature ]
    SHA1 checksum: 423144f2fdca094bc88a0050bd256f78dc1e6e27
    MD5 checksum: 30ddc181f534490991ec175bda08f2c8
  • preflight-1.8.7.jar 297KB, pre-built binary, [ PGP signature ]
    SHA1 checksum: 508a46d7f6ba3694a0cc993c84556aa9afaf8301
    MD5 checksum: 1ec968ce4d3a2af89094e0a2fadb024b
  • xmpbox-1.8.7.jar 115KB, pre-built binary, [ PGP signature ]
    SHA1 checksum: 424a31d1030e7a097bc441e13e889f9d52c9e326
    MD5 checksum: ce531e509fc857091ba6b898f069fc2a

This is an incremental feature release based on the earlier 1.8.x releases.

See the release notes for more details.

Verify the integrity of the files

It is essential that you verify the integrity of the downloaded files using the PGP signatures or MD5 and SHA1 checksums. Please read Verifying Apache HTTP Server Releases for more information on why you should verify our releases.

The PGP signatures can be verified using PGP or GPG. First download the KEYS file as well as the .asc signature files for the relevant release packages. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures using

% pgpk -a KEYS
% pgpv


% pgp -ka KEYS
% pgp


% gpg --import KEYS
% gpg --verify

Alternatively, you can verify the MD5 or SHA1 checksums on the files. For checking the MD5 checksums, use the program called md5 or md5sum included in many Unix distributions. The similar program for SHA1 is called sha1sum. It is also available as part of the GNU core utilities. Windows users can get binary md5 programs from here, here, or here.

Get the latest source from version control

To fetch the latest source code from the trunk in the Subversion repository, just run the following command:

svn checkout

You can also browse the Subversion repository using ViewVC at

A read-only Git mirror of PDFBox is available at

Download old releases

Past Apache releases (starting with version 0.8.0-incubating) are available in the release archive at:

The old releases (up to version 0.7.3) published from SourceForge are still available. They can be downloaded from this location:

Export control information

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See for more information.

The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.

The following provides more details on the included cryptographic software:

Apache PDFBox uses the Java Cryptography Architecture (JCA) and the Bouncy Castle libraries for handling encryption in PDF documents.