s4u / pgpverify-maven-plugin Goto Github PK
View Code? Open in Web Editor NEWVerify Open PGP / GPG signatures plugin
Home Page: https://www.simplify4u.org/pgpverify-maven-plugin/
License: Apache License 2.0
pgpverify-maven-plugin's People
Stargazers
Watchers
Forkers
alexanderkjall diagoras cominvent jasinner wrensecurity m50d exabrial kosprov leading0 rremer cobratbq singloon hboutemy ao-apps pzygielo godin bmarwellpgpverify-maven-plugin's Issues
Plugin should fail when new versions of a dependency are unsigned
If a signed dependency is updated to a new, unsigned version the plugin should fail the build with an appropriate error message since this is very sketchy behaviour. This involves keeping track of a mapping of groupId + artifactId to keys, something which is already partially implemented with the "keyMap".
Handle tools.jar (and other 'provided' jars)
almost 100% of the time, tools.jar is provided by the local JVM, and the version Maven uses for it is the minimum version required but might not be the installed version. in other words, version in POM might indicate that 1.5.0 is required (i.e. com.sun:tools:jar:1.5.0), but because JDK 1.8 is installed, it's using the tools from 1.8 (e.g. com.sun:tools:jar:1.8.0).
since the artifact ships without a signature in the JDK, it fails validation. if you sign it and upload the armor file to a trusted local repo, then the issue is that the signature may not match because the version of tools being used locally differs from the signed copy even though the group, artifact, and version seem to match.
Add hkps://keyserver.ubuntu.com to default key servers
Is your feature request related to a problem? Please describe.
Some of pgp public keys are only deployed to https://keyserver.ubuntu.com/
Describe the solution you'd like
Extending default key server list will cause possibility to verification more artifacts.
Also ubuntu seems more stable than https://hkps.pool.sks-keyservers.net/
Support for multiple keyserver
We assume:
pgpKeyServer- option can contains many servers addresses separated by,(comma)- we will add new option
keyServerLoadBalancewith boolean value
--true- use round robin on key servers list - default
--false- use first server and next if previous fail
Unhandled use case: public key cannot be downloaded for artifact signature
We currently do not anticipate that we may not be able to download the public key for an artifact signature. So, if this does happen, the process fails and we do not have a way around this. (AFAICT. I might be missing something ...)
[ERROR] Failed to execute goal org.simplify4u.plugins:pgpverify-maven-plugin:1.7.0-SNAPSHOT:check (default-cli) on project otr4j: Failed to process signature '/home/danny/.m2/repository/org/codehaus/plexus/plexus-archiver/4.0.0/plexus-archiver-4.0.0.jar.asc' for artifact org.codehaus.plexus:plexus-archiver:jar:4.0.0: PGP server returned an error: HTTP/1.1 404 Not Found for: https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&options=mr&search=0x44146BCAA1F1E051 -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.simplify4u.plugins:pgpverify-maven-plugin:1.7.0-SNAPSHOT:check (default-cli) on project otr4j: Failed to process signature '/home/danny/.m2/repository/org/codehaus/plexus/plexus-archiver/4.0.0/plexus-archiver-4.0.0.jar.asc' for artifact org.codehaus.plexus:plexus-archiver:jar:4.0.0
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.MojoFailureException: Failed to process signature '/home/danny/.m2/repository/org/codehaus/plexus/plexus-archiver/4.0.0/plexus-archiver-4.0.0.jar.asc' for artifact org.codehaus.plexus:plexus-archiver:jar:4.0.0
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:462)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:374)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:295)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.io.IOException: PGP server returned an error: HTTP/1.1 404 Not Found for: https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&options=mr&search=0x44146BCAA1F1E051
at org.simplify4u.plugins.PGPKeysServerClient.copyKeyToOutputStream (PGPKeysServerClient.java:234)
at org.simplify4u.plugins.PGPKeysCache.receiveKey (PGPKeysCache.java:117)
at org.simplify4u.plugins.PGPKeysCache.getKeyRing (PGPKeysCache.java:81)
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:423)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:374)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:295)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Note: line numbers may be slightly off as this is based on a custom build.
Also verify pom files
As you can specify transitive dependencies in the pom files, I think it is also important to verify the authenticity of the pom files that the project downloads.
Plugin should fail when new versions of a dependency are signed with a different key
If a signed dependency is updated to a new version signed with a different key, the plugin should fail the build with an appropriate error message since this is a bit strange. This involves keeping track of a mapping of groupId + artifactId to keys, something which is already partially implemented with the "keyMap".
No guarantees on key consistency
As far as I can tell, the plugin will have no problem with a dependency that changes signing keys or one which moves from signing to not signing its files. This exposes users to any number of threats involving attackers compromising the remote repository and either signing a malicious update with their own key or just not signing the update at all.
Ideally, the plugin should fail when a previously signed dependency is no longer signed. It should also fail when a new key is used to sign a dependency, though the message in that case should advise examining the new key and manually allowing it if everything looks good (like the SSH message for strict hostname verification).
The "keysMap" file may be able to help provide some of these guarantees, though I'm not 100% on what it's currently used for.
wrong filename used for artifacts of type "test-jar"
Steps to Reproduce
- Publish test JARs for a signed artifact. For example, write some basic test sources and include this in a POM:
<project>
<!-- ... omitted other sections ... -->
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>test-jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<configuration>
<passphrase>${gpg.passphrase}</passphrase>
<useAgent>true</useAgent>
</configuration>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<!-- ... omitted other sections ... -->
</project>- In another artifact, reference the test JAR artifact and add PGP Verify such that it fails on a bad sig. For example:
<project>
<!-- ... omitted other sections ... -->
<dependencies>
<dependency>
<groupId>com.github.some-repo</groupId>
<artifactId>my-artifact</artifactId>
<type>test-jar</type>
<scope>test</scope>
</dependency>
<dependencies>
<!-- ... omitted other sections ... -->
<build>
<!-- ... omitted other sections ... -->
<plugins>
<plugin>
<groupId>com.github.s4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<configuration>
<failNoSignature>true</failNoSignature>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<phase>verify</phase>
</execution>
</executions>
</plugin>
</plugins>
</build>
<!-- ... omitted other sections ... -->
</project>- Attempt to build using
mvn clean install.
Expected Results
The signature file for the test JAR is requested as my-artifact-1.0.0-tests.jar.asc, and the build passes without issue.
Actual Results
The signature file for the test JAR is requested as my-artifact-1.0.0-tests.test-jar.asc, and the build fails.
keymap file must exist in all subprojects
If you specify the plugin in the top level pom file, then all subprojects must have a copy of the file also or the build fails.
Goal for generating keys map file
It will be useful to can generate keys map file from current project dependency.
This file can be stored in project scm and next build with check can base on this.
It should support multi module project and generate one file.
fresh checkedout build fails
mvn install gives :
ERROR] The build could not read 1 project -> [Help 1]
[ERROR]
[ERROR] The project org.simplify4u.plugins:pgpverify-maven-plugin:1.4.0-SNAPSHOT (/home/blabla/projects/pgpverify-maven-plugin/pom.xml) has 1 error
[ERROR] Non-resolvable parent POM for org.simplify4u.plugins:pgpverify-maven-plugin:1.4.0-SNAPSHOT: Could not find artifact org.simplify4u:parent:pom:2.4.0-SNAPSHOT and 'parent.relativePath' points at no local POM @ line 20, column 13 -> [Help 2]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
using jdk 11.01 on centos 7 and maven 3.10
Discussion/half baked idea: safely looking up PGP keys automatically
So one of the things that keeps us from going 100% in on PGP checking is the sheer volume of keys we'd have to pin in the keyfile.
Have you seen keybase.io? It's like a fancy PGP keyserver, but it also allows you to bind a PGP key to a Github account and email address, pretty cool. Basically, a user publishes a pgp signed manifest as Gist on github and keybase gives you a way to verify that proof.
They do something cool too: everything that happens in your account it's put into the Bitcoin blockchain. What if we did something similar? We wouldn't have to the crypto work by hand, keybase has an API for new proof integrations: https://keybase.io/docs/proof_integration_guide
An author could sign up to bind a maven artifact to a PGP key. We'd have them publish a "proof" to maven central showing they can publish signed test to a artifact namespace.
Then when the plugin encounters an unknown signature, it could see if a proof exists in keybase. We could then verify the proof and pin the key automatically locally.
Extract signature form pgp message
Describe the bug
For artifact org.apache.xmlgraphics:fop:pom:0.95 asc file contains more information:
gpg --list-packets fop-0.95.pom.asc
# off=0 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=1
# off=2 ctb=90 tag=4 hlen=2 plen=13
:onepass_sig packet: keyid 8E1E35C66754351B
version 3, sigclass 0x00, digest 2, pubkey 17, last=1
# off=17 ctb=ad tag=11 hlen=3 plen=5934
:literal data packet:
mode b (62), created 1222628963, name="fop-0.95.pom",
raw data: 5916 bytes
# off=5954 ctb=88 tag=2 hlen=2 plen=70
:signature packet: algo 17, keyid 8E1E35C66754351B
version 4, created 1222628963, md5len 0, sigclass 0x00
digest algo 2, begin of digest bf 9a
hashed subpkt 2 len 4 (sig created 2008-09-28)
subpkt 16 len 8 (issuer key ID 8E1E35C66754351B)
data: [160 bits]
data: [160 bits]
current implementation can't extract signature for such message.
By gpg we can verify it:
gpg --verify fop-0.95.pom.asc
gpg: Signature made Sun Sep 28 21:09:23 2008 CEST
gpg: using DSA key 8E1E35C66754351B
gpg: Good signature from "Maximilian .....
gpg: aka "Maximilian ...
gpg: aka "Maximilian Berger ....
pgp validation of poms done against local poms ?
due to differences in lineendings, poms might be different on the local fille system than in the Maven repo. I think the pgp validation should be done against the pom from the Maven repo because now they might fail for the wrong reason.
NPE for drools 5.5.0.Final artefacts
Hi,
Trying to scan some of the drools 5.5.0.Final artefacts leads to an NPE in the plugin (happens for the released 1.0 as well as the 1.1.0-SNAPSHOT version):
[DEBUG] Artifact file: /tmp/repo/org/drools/drools-decisiontables/5.5.0.Final/drools-decisiontables-5.5.0.Final.jar
[DEBUG] Artifact sign: /tmp/repo/org/drools/drools-decisiontables/5.5.0.Final/drools-decisiontables-5.5.0.Final.jar.asc
...
[ERROR] Failed to execute goal com.github.s4u.plugins:pgpverify-maven-plugin:1.1.0-SNAPSHOT:check (default-cli) on project XXXXXXXXXXXXXXXXXXX: Execution default-cli of goal com.github.s4u.plugins:pgpverify-maven-plugin:1.1.0-SNAPSHOT:check failed. NullPointerException -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.github.s4u.plugins:pgpverify-maven-plugin:1.1.0-SNAPSHOT:check (default-cli) on project XXXXXXXXXXXXXXXXXXX: Execution default-cli of goal com.github.s4u.plugins:pgpverify-maven-plugin:1.1.0-SNAPSHOT:check failed.
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:224)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:120)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:347)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:154)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:584)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:213)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.PluginExecutionException: Execution default-cli of goal com.github.s4u.plugins:pgpverify-maven-plugin:1.1.0-SNAPSHOT:check failed.
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:143)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
... 19 more
Caused by: java.lang.NullPointerException
at com.github.s4u.plugins.PGPVerifyMojo.verifyPGPSignature(PGPVerifyMojo.java:305)
at com.github.s4u.plugins.PGPVerifyMojo.execute(PGPVerifyMojo.java:181)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:132)
... 20 more
The dependency that triggers the NPE:
org.drools drools-decisiontables 5.5.0.FinalGreetings,
Markus
Multiple key servers brake noKey feature
Describe the bug
When use multiple key servers noKey feature in keysMap stop working.
To Reproduce
Configure plugin with multiple key servers and some artifacts with noKey in keyMaps.
Expected behavior
noKey should be accepted independently on key servers count.
Concurrent cache access on windows.
On Windows system we should take special care about exception:
[ERROR] Failed to execute goal org.simplify4u.plugins:pgpverify-maven-plugin:1.8.0-SNAPSHOT:check (default) on project quiet-by-prop: Failed to process signature 'D:\a\pgpverify-maven-plugin\pgpverify-maven-plugin\target\it-repo\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar.asc' for artifact org.hamcrest:hamcrest-core:jar:1.3: D:\a\pgpverify-maven-plugin\pgpverify-maven-plugin\target\it-repo\pgpkeys-cache\A6\AD\A6ADFC93EF34893E.asc: The process cannot access the file because it is being used by another process. -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.simplify4u.plugins:pgpverify-maven-plugin:1.8.0-SNAPSHOT:check (default) on project quiet-by-prop: Failed to process signature 'D:\a\pgpverify-maven-plugin\pgpverify-maven-plugin\target\it-repo\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar.asc' for artifact org.hamcrest:hamcrest-core:jar:1.3
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.MojoFailureException: Failed to process signature 'D:\a\pgpverify-maven-plugin\pgpverify-maven-plugin\target\it-repo\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar.asc' for artifact org.hamcrest:hamcrest-core:jar:1.3
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:485)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:397)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:309)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.nio.file.FileSystemException: D:\a\pgpverify-maven-plugin\pgpverify-maven-plugin\target\it-repo\pgpkeys-cache\A6\AD\A6ADFC93EF34893E.asc: The process cannot access the file because it is being used by another process.
at sun.nio.fs.WindowsException.translateToIOException (WindowsException.java:86)
at sun.nio.fs.WindowsException.rethrowAsIOException (WindowsException.java:97)
at sun.nio.fs.WindowsException.rethrowAsIOException (WindowsException.java:102)
at sun.nio.fs.WindowsFileCopy.move (WindowsFileCopy.java:376)
at sun.nio.fs.WindowsFileSystemProvider.move (WindowsFileSystemProvider.java:287)
at java.nio.file.Files.move (Files.java:1395)
at org.simplify4u.plugins.keyserver.PGPKeysCache.receiveKey (PGPKeysCache.java:164)
at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$getKeyRing$1 (PGPKeysCache.java:128)
at org.simplify4u.plugins.keyserver.PGPKeysCache$KeyServerListOne.execute (PGPKeysCache.java:253)
at org.simplify4u.plugins.keyserver.PGPKeysCache.getKeyRing (PGPKeysCache.java:128)
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:446)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:397)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:309)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Use Issuer Fingerprint signature subpacket to obtain key fingerprint
There is defined new subpacket type - 33 - Issuer Fingerprint in rfc4880bis - https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-02.html#issuer-fingerprint
- BC support it - by org.bouncycastle.bcpg.sig.IssuerFingerprint since 1.62
- GnuPG support Issuer Fingerprint since 2.1.16
When subpacket (SignatureSubpacketTags.ISSUER_FINGERPRINT) exist for signature we should use it for searching pgp key.
Using fingerprint everywhere protect before short keys collision.
Can't specify master key fingerprint in keys map file if sub key is used for signing.
E.g. the key used to sign junit: https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xEFE8086F9E93774E
With junit=0xEFE8086F9E93774E in keys map file:
[INFO] junit:junit:pom:4.12 PGP Signature OK
KeyId: 0xEFE8086F9E93774E UserIds: []
With junit=0x58E79B6ABC762159DC0B1591164BD2247B936711 in keys map file:
[ERROR] Not allowed artifact junit:junit:pom:4.12 and keyID:
junit:junit:4.12=0xEFE8086F9E93774E
https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xEFE8086F9E93774E
It seems like although for most keys the id is the last few characters of the fingerprint, this isn't always true?
Add proxy support in the URL fetching
It would be nice to have proxy support for receiving the keys. This is necessary in many companies. Either the environment variables or the system settings (for Windows from the Internet Explorer) can be used for this information.
Possible security issue while retreiving/using PGP keys
I've looked at the code and I think I see a problem, which could prevent this plugin to do its job (ie.: warning that a pined certificate for an artefact changed). Also note that I might have missed something looking at the code and this issue might not be a problem after all. I didn't test this.
Problem
Please see the two links at the end to read about suck attacks. But to resume, someone can publish a key that clone text fields of an existing key and compute to the same KeyId.
Such keys have been found before on key servers. Note that if an attacker is on the network level, retrieving a key could produce only 1 result, with the cloned key. If key is pined by the developer using its KeyId I think the plugin will fail to detect this.
- KeyId are collision prone (and existing attacks are doing just that, by 'cloning' complete keys).
- KeyId seems to be used internally as a key in the Map<> tracking certificates.
Possible solution
- Do not use KeyId but certificate Fingerprints everywhere possible, which are more unique (but still could have collisions with other keys. But better odds than with KeyId)
- Handle the situation when retreiving a Key returns more than 1 certificate
- Force the 'pining' of a certificate for an artefact to only use the full fingerprint
- Have a unit test for this (cloned certificate, same KeyId as original, new version of artefact signed with cloned key)
References
https://lkml.org/lkml/2016/8/15/445
https://searchsecurity.techtarget.com/answer/How-can-PGP-short-key-IDs-be-protected-from-collision-attacks
Also verify the pgp signatures of maven plugins
Another attack vector would be to inject a fake version of a maven plugin that the build uses.
Would it be possible to verify the asc files of the maven plugins that are downloaded?
keys map is not evaluated in the order it appears in the file
Steps to Reproduce
- Create a keys map file that looks like this:
test:*:1.0.0=0xA6ADFC93EF34893E
test:test-package:*=0xA6ADFC93EF34893F
- Attempt to pull in a dependency named
test:test-package:1.0.0that has the PGP key0xA6ADFC93EF34893Ein a project that uses PGP verify.
Expected Results
PGP signature verification passes because it uses the first mapping it encounters (test:*:1.0.0=0xA6ADFC93EF34893E).
Actual Results
PGP signature verification fails because the keys map is loaded like a Properties file, which is backed by a Hashtable. Consequently, the second mapping (test:test-package:*=0xA6ADFC93EF34893F) appears first in the hash table because the hash of test:test-package:* is a lower hash code than the hash of test:*:1.0.0.
How are keys verified?
How are the OpenPGP keys verified?
Verifying signatures against unverified keys is of very limited use. Skimming the code and looking at the usage examples, I do not see how keys are verified, instead they seem to be fetched automatically based on what key the artifact claims to be issued by (thus, a faked artifact might well just reference a faked key, and thus has a valid signature).
I did not completely read and try to understand the code, but I didn't find any hint keys are verified.
In case this is not available yet, I'd see two possibilities to perform validation of keys:
-
Let the developer using the artifacts decide on what keys are allowed, by providing a whitelist of allowed keys (key fingerprints) per artifact.
The developer could use GnuPG to construct trust paths to the respective keys, if he's using OpenPGP to this extend, he'll have all data in his GnuPG keychain, anyway.
I guess this is the more reasonabel way.
-
Build your own OpenPGP web of trust validation system similar to the one GnuPG uses. Seems a rather complicated thing and not worth the effort, and interfacing GnuPG would probably be more reasonable (and would also not require existing GnuGP users to replicate trust data into the artifact).
Add options to control warning/errors on weak signature
While the base key pinning behavior here is great, in some cases people might want stronger security guarantees - like that weak signature algorithms (like MD5) weren't use to sign the dependency.
It would be nice to add a printed warning message when a signature is weak ("Warning: $groupId:$artifactId:$version has been signed with the weak algorithm $algo"), with an option to upgrade these warnings to build failures.
feature request - inherit proxy from Maven
our project is open-source and public, so we host the trusted keys map on our public HTTPS server. unfortunately, for users behind a firewall who are building our projects, they can't build with PGP verification enabled because the mojo cannot resolve the hostname.
the cause appears to be that pgpverify does not use Maven's configured proxy settings when fetching the keys map from a remote server.
I'm not sure if there's a built-in HTTP client that pgpverify could be using, or if a pattern like selectProxy() from nexus-maven-plugins is necessary:
https://github.com/sonatype/nexus-maven-plugins/blob/master/common/src/main/java/org/sonatype/maven/mojo/settings/MavenSettings.java
Validate dependencies of build plug-ins
One significant missing aspect is that dependencies of build plug-ins are not yet validated.
The difficulty is that these dependencies are not resolved in the dependency resolution, or the resolved versions are not exposed through the API. It's not exactly clear. Hence, in case of version range specifications, we don't know which exact version we need to verify.
Solutions:
Download and validate all versions that satisfy the version range specification.Version ranges are not allowed for build plug-ins. Therefore, this will never be an option and we can simply acquire the dependencies from the obvious locations in the Maven API.- Simply access plug-in dependencies, resolve and validate.
@cobratbq I intend to look into this soon.
Feature request: Retry on transient key server failure
One or more servers in the hkps.pool.sks-keyservers.net pool return a 502 error after a long delay. I have no idea which server it is, or what the underlying cause is, but it happens frequently enough that our builds fail sporadically. retrying the build usually fixes the issue.
It would be great if PGP Verify could retry up to a certain number of times on transient failures like these, to avoid scrubbing the whole build.
PGPException: Failed signature type: 18 for subKey: ... in key ...
I've got another interesting key.
This is the signature of Maven GAV: commons-beanutils:commons-beanutils:1.9.3
pub 1024D/A0FFD119 2002-01-20 Stian Soiland <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland-Reyes <[email protected]>
Stian Soiland-Reyes <[email protected]>
[user attribute packet]
Fingerprint=DDDE E876 12E9 FB95 F5C8 D91E 4110 63A3 A0FF D119
It fails with stacktrace:
org.bouncycastle.openpgp.PGPException: Failed signature type: 18 for subKey: 0x28F43E2AA69480EF7CC64367CCDA41F01581C6CE in key: 0xDDDEE87612E9FB95F5C8D91E411063A3A0FFD119
at org.simplify4u.plugins.PublicKeyUtils.lambda$null$4(PublicKeyUtils.java:183)
at io.vavr.control.Try.run (Try.java:118)
at org.simplify4u.plugins.PublicKeyUtils.lambda$verifySigForSubKey$5 (PublicKeyUtils.java:176)
at java.util.ArrayList$Itr.forEachRemaining (ArrayList.java:899)
at org.simplify4u.plugins.PublicKeyUtils.verifySigForSubKey (PublicKeyUtils.java:176)
at org.simplify4u.plugins.PublicKeyUtils.lambda$verifyPublicKeyRing$3 (PublicKeyUtils.java:171)
...
at org.simplify4u.plugins.PublicKeyUtils.verifyPublicKeyRing (PublicKeyUtils.java:171)
at org.simplify4u.plugins.PublicKeyUtils.loadPublicKeyRing (PublicKeyUtils.java:156)
at org.simplify4u.plugins.PGPKeysCache.getKeyRing (PGPKeysCache.java:85)
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:419)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:370)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:291)
based on your current snapshot version.
I'm not sure about the cause of the issue.
It seems related to loading the public key ring and verifying this ring (before checking the signature of the Maven artifact itself)
Skip execution with system property
Assuming I have binded pgpverify:verify goal on some phase (let's say verify), is there a way to skip execution from command line for a particular run?
Something like:
mvn clean verify -Dpgpverify.skip=true
(same idea as -DskipTests, -DskipITs, -Ddependency-check.skip=true etc)
Make pgpverify-maven-plugin thread-safe
When trying to build a multi-module project with multiple threads, Maven will emit the following warning:
# mvn -T 3 install
[...]
[WARNING] *****************************************************************
[WARNING] * Your build is requesting parallel execution, but project *
[WARNING] * contains the following plugin(s) that have goals not marked *
[WARNING] * as @threadSafe to support parallel building. *
[WARNING] * While this /may/ work fine, please look for plugin updates *
[WARNING] * and/or request plugins be made thread-safe. *
[WARNING] * If reporting an issue, report it against the plugin in *
[WARNING] * question, not against maven-core *
[WARNING] *****************************************************************
While the build usually continues, I also encountered occasional NullPointerExceptions in pgpverify-maven-plugin.
Use HKPS as default protocol for SKS keyservers
Currently, the plugin uses the SKS keyserver pool as the default keyserver (good) but requests and receives the keys in plaintext (not as good). It would be nice if the default was HKPS instead, and if HKPS was handled with the same kind of custom scheme and port logic as HKP in the PGPKeysCache constructor in order to support other HKPS keyservers.
However, this would involve grabbing the CA certificate from https://sks-keyservers.net/sks-keyservers.netCA.pem in order to validate the SKS HKPS connections, which especially in Java is a huge pain.
Be able to specify a list of keys to trust
As I understood it this plugin verifies the .jar files with the help of the .asc files and the key server that you specify.
Correct me if I'm wrong, but this doesn't prevent an attacker from injecting both a malicious jar file and an asc file that contains a matching signature for the jar file.
If I could specify what key a specific dependency should be signed with this should remove that hole, or maybe just specify a list of keys that are globally trusted.
Do not expire downloaded signatures (.asc) files
Is your feature request related to a problem? Please describe.
For multiple executions of pgpverify that are sufficiently far apart, signature files of dependencies (.asc files) keep getting redownloaded. This is unnecessary (overhead and dependence on internet) as the signatures are not expected to change anyways.
Describe the solution you'd like
Download the signature files once. Then keep them in the local repository and reuse them every time. That is, assuming that the signature file itself is downloaded successfully, i.e. not broken/empty/etc.
Describe alternatives you've considered
None. I can imagine it is possible to keep them in a separate location or something but that would just mean extra work/risk of failures, etc.
Broken signature - shouldn't break verification
Expected behavior
When signature for one of verified artifact is broken the process shouldn't be break.
Inconsistent reporting of "successful" artifact verification with `strictNoSignature` and empty keys map
When running pgpverify:check with an empty keys map, i.e. keys map is configured but refers to an empty file, signed artifacts are verified by valid signature only - ignoring keys map - while strictNoSignature fails unsigned artifacts for missing entry in keys map.
Personally, I would argue that if configuration parameter keysMapLocation is present, then it should fail artifact signature verificatoin even if the keys map is empty. However, strictly speaking this is backwards-incompatible for a very peculiar edge case.
Extend key map for special case with signature
There are case, where:
- signature is missing
- signature is broken
- key is not published on public key server
feature request - do not fail on missing signatures in the same project / reactor build order
currently, pgpverify checks signatures on all dependencies, even if those dependencies come from the same project as the one being built. that works well if the project is always signed when it is being built, but that makes local development inconvenient.
here's an example scenario where this is a problem:
- multi-module project A has modules B and C.
- module C depends on module B.
- a published version of all modules exists in the Maven repository.
- the project uses pgpverify to fail the build when signatures are missing or incorrect.
in this scenario, running mvn clean install will cause a failure upon reaching module C because the locally-installed version of module B is not signed with the same signature as the one in the Maven repository.
perhaps there could be an option to disregard dependencies produced by the same multi-module project.
IllegalArgumentException: Invalid UTF-8 input (for key B0F3710FA64900E7)
IllegalArgumentException: Invalid UTF-8 input:
[DEBUG] Artifact file: /home/runner/.m2/repository/com/google/auto/value/auto-value-annotations/1.6.3/auto-value-annotations-1.6.3.jar
[DEBUG] Artifact sign: /home/runner/.m2/repository/com/google/auto/value/auto-value-annotations/1.6.3/auto-value-annotations-1.6.3.jar.asc
[INFO] Receive key: https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&options=mr&search=0xB0F3710FA64900E7
to /home/runner/.m2/repository/pgpkeys-cache/B0/F3/B0F3710FA64900E7.asc
...
Caused by: java.lang.IllegalArgumentException: Invalid UTF-8 input
at org.bouncycastle.util.Strings.fromUTF8ByteArray (Unknown Source)
at org.bouncycastle.bcpg.UserIDPacket.getID (Unknown Source)
at org.bouncycastle.openpgp.PGPPublicKey.getUserIDs (Unknown Source)
at org.simplify4u.plugins.PublicKeyUtils.getUserIDs (PublicKeyUtils.java:90)
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:439)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:370)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:291)
Key not found - shouldn't break verification
Expected behavior
When key for one of verified artifact is not found the process shouldn't be break.
Validate transitive closure of dependencies of build plug-ins and atypical dependencies
Both dependencies of build plug-ins and dependencies that are referenced in atypical locations, such as maven-compiler-plugin annotation processors, are not fully validated. We currently only validate the explicitly referenced dependency itself, but not its transitive closure of dependencies (and their corresponding version after conflict resolution).
Includes indirect dependencies of #54. (Direct dependencies of build plug-ins are already validated.)
Question asked at: https://lists.apache.org/thread.html/e58b66152de1c388e55fb9e86f7d1fefe357a80d5b2f33ab0aef48da%40%3Cdev.maven.apache.org%3E
pgpverify recommends adding subkey instead of primary key
Now that pgpverify-maven-plugin supports the primary key/subkey use-case, we should recommend adding an entry containing the primary key (instead of the subkey) when an entry is missing from the keys map.
For example, recommendation:
[ERROR] Not allowed artifact jakarta.annotation:jakarta.annotation-api:jar:1.3.5 and keyID:
jakarta.annotation:jakarta.annotation-api:1.3.5 = 0x59A8E169739301FD48139CA00E325BECB6962A24
https://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x0E325BECB6962A24
while it could recommend: 0xF6CE460FDBE1AABD1A96456737ECFC571637667C
warning during artifact signature download
In logs we can see:
[WARNING] Could not validate integrity of download from
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-ejb-plugin/3.0.1/maven-ejb-plugin-3.0.1.jar.asc:
Checksum validation failed, no checksums available
We should discover how to download asc files in proper way
Add packaging to GAV in key map
Currently in key map we have format:
groupId:artifactId:version = keyId
We want extend it to:
groupId:artifactId:packaging:version = keyId
where groupId is mandatory and other field are optional.
In groupId, artifactId, packaging - we can use * or any other regular expression
version can be specified as maven version syntax
There are case where pom file has signature but jar hasn't.
It will be good to prepare separate site with description of key map file syntax.
Failure to locate signed POM always fails if verifying POMs
As of now, if you set "verifyPomFiles" to true and any POM does not have a matching signature the build will fail. Intuitively, the build should only fail in this case if you have set "failNoSignature" to true.
Rafactor of artifacts resolving
Deprecated ProjectDependenciesResolver - should be replaced by something newer.
All job with resolving, filtering artifacts should be moved to dedicated class in order to minimize code lines of mojo class.
New implementation should be ready for resolving project plugins dependency - #5
Question: Source of truth?
I just discovered this plugin. Seems to be very useful. Thank you.
Question. If using an internal Nexus repo, then I execute this plugin will the internal repo be the source of truth for signature verifications or will the repo of origin (e.g. Maven Central) be the source of truth?
Errors during mirroring occur, as does the possibility of accidental or malicious modification to internal repos. I'd like the ability to use the repo of origin (typically Maven Central for OSS components and internal Nexus for internally developed components) when validating signatures.
Is that the way this plugin works, and if not, is there any way to achieve what I'm after?
subKey signature for unknown key gives NullPointer
One of my dependencies is DerbyClient 10.10.1.1.
It's key is: https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&options=mr&search=0x3D8B00E198E21827
I've attached the key(ring) it downloads from the keyserver.
It fails with the following stacktrace:
java.lang.NullPointerException
at org.bouncycastle.openpgp.operator.bc.BcPGPKeyConverter.getPublicKey(Unknown Source)
at org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider$BcPGPContentVerifierBuilder.build(Unknown Source)
at org.bouncycastle.openpgp.PGPSignature.init(Unknown Source)
at org.simplify4u.plugins.PublicKeyUtils.lambda$null$4(PublicKeyUtils.java:179)
at io.vavr.control.Try.run(Try.java:118)
at org.simplify4u.plugins.PublicKeyUtils.lambda$verifySigForSubKey$5(PublicKeyUtils.java:176)
`NullPointerException` during IT in parallel mode
As mentioned before, I still occasionally get an NPE. This stacktrace is based on code in PR #46, but I strongly suspect this is not related to the PR changes. Please have a look. I suspect you might be able to determine very quickly whether or not this issue is related to parallel processing.
[ERROR] Failed to execute goal org.simplify4u.plugins:pgpverify-maven-plugin:1.5.0-SNAPSHOT:check (default) on project quietByProp: Execution default of goal org.simplify4u.plugins:pgpverify-maven-plugin:1.5.0-SNAPSHOT:check failed. NullPointerException -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.simplify4u.plugins:pgpverify-maven-plugin:1.5.0-SNAPSHOT:check (default) on project quietByProp: Execution default of goal org.simplify4u.plugins:pgpverify-maven-plugin:1.5.0-SNAPSHOT:check failed.
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.PluginExecutionException: Execution default of goal org.simplify4u.plugins:pgpverify-maven-plugin:1.5.0-SNAPSHOT:check failed.
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:148)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.lang.NullPointerException
at org.bouncycastle.openpgp.operator.bc.BcPGPKeyConverter.getPublicKey (Unknown Source)
at org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider$BcPGPContentVerifierBuilder.build (Unknown Source)
at org.bouncycastle.openpgp.PGPSignature.init (Unknown Source)
at org.simplify4u.plugins.PGPVerifyMojo.verifyPGPSignature (PGPVerifyMojo.java:403)
at org.simplify4u.plugins.PGPVerifyMojo.verifyArtifactSignatures (PGPVerifyMojo.java:345)
at org.simplify4u.plugins.PGPVerifyMojo.execute (PGPVerifyMojo.java:276)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:566)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.