maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hervé Boutemy (JIRA) <j...@apache.org>
Subject [jira] [Updated] (MNG-5814) Be able to verify the pgp signature of downloaded plugins against a trust configuration
Date Mon, 21 May 2018 16:35:00 GMT

     [ https://issues.apache.org/jira/browse/MNG-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Hervé Boutemy updated MNG-5814:
-------------------------------
    Summary: Be able to verify the pgp signature of downloaded plugins against a trust configuration
 (was: Be able to verify the pgp signature of downloaded plugins)

> Be able to verify the pgp signature of downloaded plugins against a trust configuration
> ---------------------------------------------------------------------------------------
>
>                 Key: MNG-5814
>                 URL: https://issues.apache.org/jira/browse/MNG-5814
>             Project: Maven
>          Issue Type: Improvement
>          Components: Plugin Requests
>            Reporter: Alexander Kjäll
>            Priority: Major
>              Labels: security
>
> In order to protect ourself against an attacker that can do injection attacks on our
downloads we need to verify the pgp signatures of the downloaded artifacts.
> For normal dependencies this can be done with a plugin, for example this one: https://github.com/s4u/pgpverify-maven-plugin/
> But it's not possible for a plugin to verify it's own authenticity, as it was downloaded
over an possible insecure channel itself.
> Therefor we need something preinstalled that verifies that the plugin we downloaded is
the same one that was specified in our pom file.
> I propose that functionality is added to maven that verifies the jar and pom files against
it's pgp signature files for plugins. And some sort of notation is added to the pom file so
that it's possible to specify the signing key for a plugin. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message