[
https://issues.apache.org/jira/browse/MNG-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hervé Boutemy updated MNG-5814:
-------------------------------
Summary: Be able to verify the pgp signature of downloaded plugins against
a trust configuration (was: Be able to verify the pgp signature of downloaded
plugins)
> Be able to verify the pgp signature of downloaded plugins against a trust
> configuration
> ---------------------------------------------------------------------------------------
>
> Key: MNG-5814
> URL: https://issues.apache.org/jira/browse/MNG-5814
> Project: Maven
> Issue Type: Improvement
> Components: Plugin Requests
> Reporter: Alexander Kjäll
> Priority: Major
> Labels: security
>
> In order to protect ourself against an attacker that can do injection attacks
> on our downloads we need to verify the pgp signatures of the downloaded
> artifacts.
> For normal dependencies this can be done with a plugin, for example this one:
> https://github.com/s4u/pgpverify-maven-plugin/
> But it's not possible for a plugin to verify it's own authenticity, as it was
> downloaded over an possible insecure channel itself.
> Therefor we need something preinstalled that verifies that the plugin we
> downloaded is the same one that was specified in our pom file.
> I propose that functionality is added to maven that verifies the jar and pom
> files against it's pgp signature files for plugins. And some sort of notation
> is added to the pom file so that it's possible to specify the signing key for
> a plugin.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
