Add options to control warning/errors on weak signature #11
Labels
enhancement
New feature or request.
Milestone
Comments
Diagoras
changed the title
pzygielo
pushed a commit
to pzygielo/pgpverify-maven-plugin
that referenced
this issue
May 31, 2024
org.apache.httpcomponents:httpclient .................. 4.5.3 -> 4.5.4 org.apache.httpcomponents:httpcore .................... 4.4.6 -> 4.4.8 org.codehaus.plexus:plexus-utils ..................... 3.0.24 -> 3.1.0 org.eclipse.sisu:org.eclipse.sisu.plexus .............. 0.1.1 -> 0.3.3 org.sonatype.sisu:sisu-guice .......................... 3.1.6 -> 3.2.6 org.eclipse.jetty:jetty-server .... 9.2.9.v20150224 -> 9.2.23.v20171218 org.eclipse.jetty:jetty-servlet ... 9.2.9.v20150224 -> 9.2.23.v20171218 org.eclipse.jetty:jetty-util ...... 9.2.9.v20150224 -> 9.2.23.v20171218 Plugins: maven-invoker-plugin:3.0.1 junit:junit:4.12 org.eclipse.sisu.plexus:0.3.3 This closes s4u#11
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While the base key pinning behavior here is great, in some cases people might want stronger security guarantees - like that weak signature algorithms (like MD5) weren't use to sign the dependency.
It would be nice to add a printed warning message when a signature is weak ("Warning: $groupId:$artifactId:$version has been signed with the weak algorithm $algo"), with an option to upgrade these warnings to build failures.
The text was updated successfully, but these errors were encountered: