Maven 2 & 3

Implement repository security improvements for verification of downloaded artifacts

Details

  • Complexity:
    Intermediate
  • Number of attachments :
    1

Issue Links

This issue is duplicated by:
MNG-3659 Securing Artifacts Major Closed
This issue supercedes:
MNG-1792 finish openpgp support Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Brett Porter added a comment -

one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested

Show
Brett Porter added a comment - one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested
Hide
Permalink
Stefano Bagnara added a comment -

Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact?

We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures.

A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)

Show
Stefano Bagnara added a comment - Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact? We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures. A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)
Hide
Permalink
Brett Porter added a comment -

the page was moved to http://docs.codehaus.org/display/MAVEN/Repository+Security

Show
Brett Porter added a comment - the page was moved to http://docs.codehaus.org/display/MAVEN/Repository+Security
Hide
Permalink
Brett Porter added a comment -

a rough look at required checksums - not effective as it needs to be merged through the resolution tree

Show
Brett Porter added a comment - a rough look at required checksums - not effective as it needs to be merged through the resolution tree

People

Vote (5)
Watch (7)

Dates

  • Created:
    Updated:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.