Maven 2 & 3

Implement repository security improvements for verification of downloaded artifacts

Details

  • Complexity:
    Intermediate
  • Number of attachments :
    1

Issue Links

is duplicated by

New Feature - A new feature of the product, which has yet to be developed. MNG-3659 Securing Artifacts

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
supercedes

Bug - A problem which impairs or prevents the functions of the product. MNG-1792 finish openpgp support

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Brett Porter added a comment -

one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested

Show
Brett Porter added a comment - one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested
Hide
Permalink
Stefano Bagnara added a comment -

Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact?

We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures.

A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)

Show
Stefano Bagnara added a comment - Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact? We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures. A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)
Hide
Permalink
Brett Porter added a comment -

the page was moved to http://docs.codehaus.org/display/MAVEN/Repository+Security

Show
Brett Porter added a comment - the page was moved to http://docs.codehaus.org/display/MAVEN/Repository+Security
Hide
Permalink
Brett Porter added a comment -

a rough look at required checksums - not effective as it needs to be merged through the resolution tree

Show
Brett Porter added a comment - a rough look at required checksums - not effective as it needs to be merged through the resolution tree

People

  • Assignee:
    Unassigned
    Reporter:
    Brett Porter
Vote (5)
Watch (7)

Dates

  • Created:
    Updated: