jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milamber <milam...@apache.org>
Subject Re: Dependency checksum verification vs PGP-based verification
Date Fri, 09 Aug 2019 10:54:32 GMT
Hello Vladimir,

JMeter user SHA512 (since 2017) and follow the requirement from ASF:
http://www.apache.org/dev/release-distribution#sigs-and-sums

You can check the JMeter distribution with the ASF Checker, that check 
the PGP sign And the SHA512 checksum:
https://checker.apache.org/projs/jmeter.html

I suppose that we can do the same things to check the jar files used by 
JMeter (i.e. check the PGP signs and the SHA checksum).

Milamber


On 07/08/2019 14:02, Vladimir Sitnikov wrote:
> Hi,
>
> Historically JMeter build used SHA512 for verification of the dependencies.
>
> I wonder what if we use PGP-based verification instead.
> Would you consider "trust org.apache.bcel dependency if it is signed by
> 86fdc7e2a11262cb" good enough?
>
> Rough estimation shows that we have ~180 dependencies
> And we miss signatures for ~30 of them (see below).
>
> What do you think if we use "dependency verification" in a form of
> 87a7f75a6a8ba5fc org.apache.activemq
> 86fdc7e2a11262cb org.apache.bcel
> 3faad2cd5ecbb314 org.apache.commons
> 64a16faaec16a4be org.apache.commons
> ?
>
> In other words "trust dependency
> org.apache.commons:<any-module>:<any-version> if it is signed by
> 3faad2cd5ecbb314 or 64a16faaec16a4be PGP key"
> That would simplify library upgrades since the library is often released by
> a finite set of PGP keys.
>
> I think behind the lines of (see
> https://github.com/vlsi/vlsi-release-plugins/issues/9 )
>
> <dependency-verification>
>      <trusted-keys>
>          <!-- Trust artifacts for org.jetbrains.** if they are signed by
> bcf4173966770193 -->
>          <key id="bcf4173966770193" group="org.jetbrains"/>
>          <!-- Trust artifacts for org.jetbrains.intellij.deps.** if they are
> signed by 379ce192d401ab61 -->
>          <key id="379ce192d401ab61" group="org.jetbrains.intellij.deps"/>
>      </trusted-keys>
>      <dependencies>
>          <!-- Trust the specific module if it is signed by one of the two
> keys OR
>                   if is has one of the two checksums -->
>          <dependency group="com.android.tools" module="dvlib"
> version="24.0.0">
>
> <sha512>BF96E53408EAEC8E366F50E0125D6E7E072400887C03EC3C7E8C0B4C9267E5E5B4C0BB2D1FA3355B878DFCEE9334FB145AC38E3CD54D869D9F5283145169DECF</sha512>
>              <sha512>239789823479823497823497234978</sha512>
>              <pgp>ac214caa0612b399</pgp>
>              <pgp>bcf4173966770193</pgp>
>          </dependency>
>      </dependencies>
> </dependency-verification>
>
>
> Missing PGP 31 signatures.
> I have created ASM issue to add PGP:
> https://gitlab.ow2.org/asm/asm/issues/317878
> Similar issues can be created for most of the rest dependencies.
>
>    antlr:antlr:2.7.7@jar.asc
>    bsf:bsf:2.4.0@jar.asc
>
> com.github.bulenkov.darcula:darcula:e208efb96f70e4be9dc362fbb46f6e181ef501dd@jar.asc
>    com.github.vlsi.gradle:crlf-plugin:1.17.0@jar.asc
>    com.github.vlsi.gradle:ide-plugin:1.17.0@jar.asc
>    com.github.vlsi.gradle:license-gather-plugin:1.17.0@jar.asc
>    com.github.vlsi.gradle:stage-vote-release-plugin:1.17.0@jar.asc
>    commons-logging:commons-logging:1.0.4@jar.asc
>    de.marcphilipp.gradle:nexus-publish-plugin:0.2.0@jar.asc
>    gradle.plugin.com.github.spotbugs:spotbugs-gradle-plugin:1.6.10@jar.asc
>
> gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext:0.5@jar.asc
>    net.jcip:jcip-annotations:1.0@jar.asc
>    net.sf.ezmorph:ezmorph:1.0.6@jar.asc
>    net.sf.json-lib:json-lib:2.3:jdk15@jar.asc
>    org.codehaus.groovy.modules.http-builder:http-builder:0.7.1@jar.asc
>    org.nosphere.apache:creadur-rat-gradle:0.5.0@jar.asc
>    org.ow2.asm:asm-analysis:6.2.1@jar.asc
>    org.ow2.asm:asm-analysis:7.0@jar.asc
>    org.ow2.asm:asm-commons:6.2.1@jar.asc
>    org.ow2.asm:asm-commons:7.0@jar.asc
>    org.ow2.asm:asm-tree:6.2.1@jar.asc
>    org.ow2.asm:asm-tree:7.0@jar.asc
>    org.ow2.asm:asm-util:7.0@jar.asc
>    org.ow2.asm:asm:6.2.1@jar.asc
>    org.ow2.asm:asm:7.0@jar.asc
>    org.ow2.asm:asm:7.1@jar.asc
>    oro:oro:2.0.8@jar.asc
>    xerces:xercesImpl:2.9.1@jar.asc
>    xml-resolver:xml-resolver:1.2@jar.asc
>    xmlpull:xmlpull:1.1.3.1@jar.asc
>    xpp3:xpp3_min:1.1.4c@jar.asc
>
> Vladimir
>


Mime
View raw message