Maven
  1. Maven
  2. MNG-2477

Implement repository security improvements for verification of downloaded artifacts

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Complexity:
      Intermediate
    • Number of attachments :
      1

      Issue Links

        Activity

        Hide
        Brett Porter added a comment -

        one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested

        Show
        Brett Porter added a comment - one thought on a quicker gpg implementation: fork gpg (assume it exists, handle the exception if not or disable the capability), and then attach the resulting .aasc to an upload. This won't handle downloads but at least gets us the deployment functionality that is highly requested
        Hide
        Stefano Bagnara added a comment -

        Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact?

        We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures.

        A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)

        Show
        Stefano Bagnara added a comment - Now that the pgp signing plugin allow us to automatically gpg sign deployed artifact, isn't it possible to add the possibility to specify that a given dependency must be signed and that you expect a given fingerprint for that artifact? We use only local folders for direct dependencies to ensure that our final package include only "verified" jars, but I would like also to ensure that the build is done using the very plugins I chose and I want to be able to check their signatures. A much less secure but still a step forward would be to be able to specify the md5 in addition to version when declaring the dependency, so that we can check that we are using the same artifact. (althought md5 is cracked and this won't be much secure)
        Hide
        Brett Porter added a comment -
        Show
        Brett Porter added a comment - the page was moved to http://docs.codehaus.org/display/MAVEN/Repository+Security
        Hide
        Brett Porter added a comment -

        a rough look at required checksums - not effective as it needs to be merged through the resolution tree

        Show
        Brett Porter added a comment - a rough look at required checksums - not effective as it needs to be merged through the resolution tree
        Show
        Jason van Zyl added a comment - Please refer to https://cwiki.apache.org/confluence/display/MAVEN/The+Great+JIRA+Cleanup+of+2014
        Hide
        Jason van Zyl added a comment -

        Please refer to https://cwiki.apache.org/confluence/display/MAVEN/The+Great+JIRA+Cleanup+of+2014 if you're wondering why this issue was closed out.

        Show
        Jason van Zyl added a comment - Please refer to https://cwiki.apache.org/confluence/display/MAVEN/The+Great+JIRA+Cleanup+of+2014 if you're wondering why this issue was closed out.

          People

          • Assignee:
            Unassigned
            Reporter:
            Brett Porter
          • Votes:
            5 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: