2010/12/15 - Apache Excalibur has been retired.

For more information, please explore the Attic.

Download distributions

Use the links below to download binary or source distributions of Excalibur from one of our mirrors. It's a good idea to verify the integrity of the downloaded files using signatures downloaded from our main distribution directory (see below).

Excalibur is distributed as zip and tar.gz archives - the contents are the same. Please note that the tar.gz archives contain file names longer than 100 characters and have been created using GNU tar extensions. They must be untarred with a GNU compatible version of tar.

If you do not see the file you need in the links below, please see the master distribution directory or, preferably, its mirror.


You are currently using the [preferred]. If you encounter a problem with this mirror, please select another mirror. If all mirrors are failing, there are backup mirrors (at the end of the mirrors list) that should be available.

Other mirrors:


All Excalibur products are distributed under the terms of The Apache Software License (version 2.0, and version 1.1 for some older releases). See our License page, or the LICENSE.txt file included in each distribution.

Jar Repository

All Excalibur jars can also be found in the public Maven 2 repository for use with Maven 2 and other repository-aware applications.

Product Downloads

Excalibur Source Resolver 2.2.3 (5 Jul 2007)

Feb 2007 Release (r508111)

Verify Releases

It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures.

The MD5 checksums can be verified using the md5 utility (called md5sum on some systems). Download the md5 file that corresponds to the distributions you want to check. Make sure you get these checksums from the main distribution directory, rather than from a mirror.

The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the asc signature file for the particular distribution. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures using

% pgpk -a KEYS
% pgpv name-of-distributed-file.tar.gz.asc


% pgp -ka KEYS
% pgp name-of-distributed-file.tar.gz.asc


% gpg --import KEYS
% gpg --verify name-of-distributed-file.tar.gz.asc