[
https://issues.apache.org/jira/browse/MNG-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15315526#comment-15315526
]
Markus Kilås commented on MNG-5814:
-----------------------------------
I agree on what Alexander says about HTTPS. It should be used but does not
solve the important issues.
Regarding the extra notation for specifying the PGP key, I am not sure that
needs to be, or should be in the POM file. For me it might make more sense to
have the trust specified on system/user level and not per project.
I don't think it would be necessary to uniquely identify an artifact. For me it
would be fine to say, "I require all artifacts with groupId
org.apache.commons.* to be verifiable with one of the Apache Commons signing
keys".
Lets say I have threat model something like this:
a) I must no run any code on my computer from a source I don't trust. If I ever
do that the machine/VM could be considered possibly compromized.
b) As anyone can upload artifacts to the Central repository I can't simply
trust all artifacts coming from Central.
c) And also I don't want to put any trust in the Central's
file-servers/mirrors/CDNs not being compromized.
Possible solution:
- Maven is somehow changed so that before downloading an artifact (or before it
is used?) its digital signature is verified with a public key marked as trusted
for that groupId
- The groupId to public key mapping could possibly be defined in
~/.m2/settings.xml or a similar file
An other solution:
- Use a proxy ("repo manager") that enforces the signature verification.
- As a PoC I have created https://github.com/netmackan/java-binrepo-proxy/
- However, this requires the user to trust (or run) the proxy and it would be
better if Maven already handled this by itself without the need for an extra
repo manager application
Thoughts?
> Be able to verify the pgp signature of downloaded plugins
> ---------------------------------------------------------
>
> Key: MNG-5814
> URL: https://issues.apache.org/jira/browse/MNG-5814
> Project: Maven
> Issue Type: Improvement
> Components: Plugin Requests
> Reporter: Alexander Kjäll
> Labels: security
>
> In order to protect ourself against an attacker that can do injection attacks
> on our downloads we need to verify the pgp signatures of the downloaded
> artifacts.
> For normal dependencies this can be done with a plugin, for example this one:
> https://github.com/s4u/pgpverify-maven-plugin/
> But it's not possible for a plugin to verify it's own authenticity, as it was
> downloaded over an possible insecure channel itself.
> Therefor we need something preinstalled that verifies that the plugin we
> downloaded is the same one that was specified in our pom file.
> I propose that functionality is added to maven that verifies the jar and pom
> files against it's pgp signature files for plugins. And some sort of notation
> is added to the pom file so that it's possible to specify the signing key for
> a plugin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
