maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter (JIRA)" <j...@codehaus.org>
Subject [jira] Issue Comment Edited: (MEV-653) Invalid signatures at central
Date Fri, 12 Mar 2010 14:21:23 GMT

    [ http://jira.codehaus.org/browse/MEV-653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=213660#action_213660
] 

Brett Porter edited comment on MEV-653 at 3/12/10 8:19 AM:
-----------------------------------------------------------

I looked through this in July '08 and found the following bad sigs:

{code}
maven2-signed/org/apache/maven/*/2.0.5/*.pom.asc
maven2-signed/org/apache/maven/*/2.0.6/*.pom.asc
maven2-signed/org/apache/maven/*/2.0.7/*.pom.asc
maven2-signed/org/apache/maven/scm/*/1.0/*.pom.asc
maven2-signed/org/apache/maven/plugins/maven-scm-plugin/1.0/*.pom.asc
{code}

The problem was that the POM was rewritten after being signed, IIRC, so a few releases went
out without the POM being signed correctly. Since it is only the POM, you can verify it from
SVN and sign it yourself (and we should probably do the same).

On the other hand, there are lots that are missing. The wagon one you pointed out on dev was
probably an improper release process. It's in the same era as the above. When I last counted
the repo in July '08, there were 9570 artifacts not signed. It'd probably be more today. I
still have the scripts on central, and this work might interest you:

http://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Security


      was (Author: brettporter):
    I looked through this in July '08 and found the following bad sigs:

  -path 'maven2-signed/org/apache/maven/*/2.0.5/*.pom.asc' \
  -o -path 'maven2-signed/org/apache/maven/*/2.0.6/*.pom.asc' \
  -o -path 'maven2-signed/org/apache/maven/*/2.0.7/*.pom.asc' \
  -o -path 'maven2-signed/org/apache/maven/scm/*/1.0/*.pom.asc' \
  -o -path 'maven2-signed/org/apache/maven/plugins/maven-scm-plugin/1.0/*.pom.asc' |

The problem was that the POM was rewritten after being signed, IIRC, so a few releases went
out without the POM being signed correctly. Since it is only the POM, you can verify it from
SVN and sign it yourself (and we should probably do the same).

On the other hand, there are lots that are missing. The wagon one you pointed out on dev was
probably an improper release process. It's in the same era as the above. When I last counted
the repo in July '08, there were 9570 artifacts not signed. It'd probably be more today. I
still have the scripts on central, and this work might interest you:

http://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Security

  
> Invalid signatures at central
> -----------------------------
>
>                 Key: MEV-653
>                 URL: http://jira.codehaus.org/browse/MEV-653
>             Project: Maven Evangelism
>          Issue Type: Bug
>            Reporter: Anders Hammar
>
> The signatures for these poms are invalid. This causes issues when setting up environments
that verify the signatures and is not good as all Apache artifacts is supposed to be signed
as I understand it. This pom is used as a parent by some artifacts which many Maven plugins
use. Here's an example:
> maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has maven:2.0.6 as parent.
> I asked Jason van Zyl about this as it is (supposedly) he who signed and he says he lost
that key and revoked it. Hence the signature should fail. However, the weird thing is that
org.apache.maven:maven-script:2.0.6 was signed with the same key about the same time (part
of the same release?) and that signature is reported ok.
> I'd happily work with you to solve this. There are possibly more artifacts with invalid
signatures. However, I have to admit that I am no pgp expert.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message