Be able to specify a list of keys to trust #2
Comments
|
You have right, plugin verifies artifacts with the help of corresponding .asc file. Maven Central require pgp signatures from some years and currently there are not exist some global method to check those signature. Your idea is good, I will try to add functionality for achieve more security. I see a few feature:
|
|
I have prepared some feature for your proposition. You can look into |
|
Looks very good, this makes the plugin significantly more useful. Will test it in the coming days. |
|
Seems that there is an incompability between this patch and mine, if someone signs their jar and pom files with different keys then it breaks. I think this is an example of that: |
|
You can put many keys for one line, eg: This case is strange, I thought that building jars and pom is doing in one task ... |
|
You found interesting case, as I see I guess files are modified and upload manualy for this artifact. And I see that checksum files (.md5, .sha1) has different time of modification with connected file. |
As I understood it this plugin verifies the .jar files with the help of the .asc files and the key server that you specify.
Correct me if I'm wrong, but this doesn't prevent an attacker from injecting both a malicious jar file and an asc file that contains a matching signature for the jar file.
If I could specify what key a specific dependency should be signed with this should remove that hole, or maybe just specify a list of keys that are globally trusted.
The text was updated successfully, but these errors were encountered: