HannesWell commented on PR #40: URL: https://github.com/apache/maven-jarsigner-plugin/pull/40#issuecomment-2529120920
> Can you try reproduce it and add a test? Just created https://github.com/apache/maven-jarsigner-plugin/pull/41, but it currently does not fail as desired. > @HannesWell which Maven version do you use? 3.9.9 In general I have the impression it would be better to migrate off `org.sonatype.plexus:plexus-sec-dispatcher`. It's quite old and I regularly get errors like the following, always using the same encrypted key. ``` Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.unpad (CipherCore.java:862) at com.sun.crypto.provider.CipherCore.fillOutputBuffer (CipherCore.java:942) at com.sun.crypto.provider.CipherCore.doFinal (CipherCore.java:735) at com.sun.crypto.provider.AESCipher.engineDoFinal (AESCipher.java:436) at javax.crypto.Cipher.doFinal (Cipher.java:2205) at org.sonatype.plexus.components.cipher.PBECipher.decrypt64 (PBECipher.java:185) at org.sonatype.plexus.components.cipher.DefaultPlexusCipher.decrypt (DefaultPlexusCipher.java:72) at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt (DefaultSecDispatcher.java:96) at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.decrypt (AbstractJarsignerMojo.java:561) ``` I first looked at `org.codehaus.plexus:plexus-sec-dispatcher`, which looked like the natural successor to me, but found out that it's explicitly blocked by some enforcer-rules. And I assume that's for a good reason. Furthermore https://issues.apache.org/jira/browse/MNG-4384 mentioned `SettingsDecrypter`, but I failed to apply it here and therefore assume it would require also work in that interface. And given that it's deprecated for Maven-4, I assume it isn't the best solution anyways nowadays: https://github.com/apache/maven/blob/1b5b5c8f9e7433762e8dce53c2e17d75b6a06b06/compat/maven-settings-builder/src/main/java/org/apache/maven/settings/crypto/SettingsDecrypter.java#L26-L27 If you can tell me a good way forward I would be interested to make the jarsigner plugin more robust and up-to-date. Or is using Maven's password encryption mechanism for signature file password not recommended? https://maven.apache.org/guides/mini/guide-encryption.html Because this seems to be to root of all my problems. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
