The UID 2 Project is subject to Tech Lab IPR’s Policy and is managed by the IAB Tech Lab Addressability Working Group and Privacy & Rearc Commit Group. Please review the governance rules here
To setup dependencies before building, run the follow script
./setup_dependencies.shTo run unit tests:
mvn clean test
To package application:
mvn package
To run application:
- use
conf/local-config.jsonto run standalone optout service for local debugging, which doesn't communicate with uid2-core.
mvn clean compile exec:java -Dvertx-config-path=conf/local-config.json
- use
conf/integ-config.jsonto run optout service that integrates with uid2-core, which default runs onlocalhost:8088
mvn clean compile exec:java -Dvertx-config-path=conf/integ-config.json
Every non-snapshot image published by this repo's release workflow ships with a SLSA v1.0 build-provenance attestation, signed by GitHub's Sigstore instance via the OIDC identity of the shared publish workflow. The attestation cryptographically binds the image digest to the source commit, the signing workflow, and the runner that built it.
To verify an image, install gh (≥ 2.49) and run:
gh attestation verify \
oci://ghcr.io/iabtechlab/uid2-optout:<tag> \
--owner IABTechLab \
--signer-repo IABTechLab/uid2-shared-actionsA successful run prints ✓ Verification succeeded! followed by the SLSA provenance fields — including sourceRepositoryDigest (the source commit), workflow.path (the signing workflow), and the runner identity.
Snapshot tags (-SNAPSHOT suffix) deliberately skip attestation. gh attestation verify returns no attestations found against a snapshot — that's expected.