Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Maven verify signatures of downloaded pom/jar files

I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).

The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:

ant-1.8.2.jar ant-1.8.2.jar.asc ant-1.8.2.jar.asc.md5 ant-1.8.2.jar.asc.sha1 ant-1.8.2.jar.md5 ant-1.8.2.jar.sha1 ant-1.8.2.pom ant-1.8.2.pom.asc ant-1.8.2.pom.asc.md5 ant-1.8.2.pom.asc.sha1 ant-1.8.2.pom.md5 ant-1.8.2.pom.sha1 

I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.

There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?

(Nexus Professional is not an option)

Thank you for help.

like image 269
IgorY Avatar asked Jul 03 '11 19:07

IgorY


2 Answers

Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check 

Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)

Or you use Maven 3.2.3 or above (with a clean repository), which uses TLS for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.

See also:

  • related Question and Answer
  • Sonatype's Blog to this topic
like image 80
Martin Höller Avatar answered Nov 02 '22 06:11

Martin Höller


Could you write a bash shell script using GnuPG to verify each sig?

Something like: for x in *.jar; do gpg --verify "${x}".asc; done

Obviously you would need the public keys for all the sigs before you started.

like image 24
Geeb Avatar answered Nov 02 '22 04:11

Geeb