Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Maven verify signatures of downloaded pom/jar files

Tags:

ssl

maven

signature

I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).

The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:

ant-1.8.2.jar ant-1.8.2.jar.asc ant-1.8.2.jar.asc.md5 ant-1.8.2.jar.asc.sha1 ant-1.8.2.jar.md5 ant-1.8.2.jar.sha1 ant-1.8.2.pom ant-1.8.2.pom.asc ant-1.8.2.pom.asc.md5 ant-1.8.2.pom.asc.sha1 ant-1.8.2.pom.md5 ant-1.8.2.pom.sha1

I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.

There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?

(Nexus Professional is not an option)

Thank you for help.

like image 269
IgorY Avatar asked Jul 03 '11 19:07

IgorY

2 Answers

Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check

Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)

Or you use Maven 3.2.3 or above (with a clean repository), which uses TLS for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.

See also:

  • related Question and Answer
  • Sonatype's Blog to this topic
like image 80
Martin Höller Avatar answered Nov 02 '22 06:11

Martin Höller

Could you write a bash shell script using GnuPG to verify each sig?

Something like: for x in *.jar; do gpg --verify "${x}".asc; done

Obviously you would need the public keys for all the sigs before you started.

like image 24
Geeb Avatar answered Nov 02 '22 04:11

Geeb
Sign in to Comment

Related questions

How to have Maven show local timezone in maven.build.timestamp?
Automatically incrementing a build number in a Java project
Maven plugin for Tomcat 9
What is the difference between spring-context and spring-core dependencies?
Maven command line parameter "-B"
maven profiles or spring profiles?
Maven deploy:deploy using -DaltDeploymentRepository
file and stdout appenders in logback.xml
Maven release:prepare fails with "scm connection or developerConnection must be specified"
SBT to Maven Converter
How to prevent eclipse from deploying test classes on Tomcat?
JAXB generating JAXBElement<String> instead of String
How do I include an empty directory in a maven assembly?
Simple example for Quartz 2.2 and Tomcat 7
Merging Integration and Unit test reports with JaCoCo
How to remove the Win10's PATH from WSL
getting JRE system library unbound error in build path
Maven - deploy webapp to tomcat before JUnit test
Cannot change version of project facet Dynamic Web Module to 2.5
Unable to import Maven project into IntelliJ IDEA

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!