当前位置: 动力学知识库 > 问答 > 编程问答 >

ssl - Maven verify signatures of downloaded pom/jar files

问题描述:

I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).

The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:

ant-1.8.2.jar

ant-1.8.2.jar.asc

ant-1.8.2.jar.asc.md5

ant-1.8.2.jar.asc.sha1

ant-1.8.2.jar.md5

ant-1.8.2.jar.sha1

ant-1.8.2.pom

ant-1.8.2.pom.asc

ant-1.8.2.pom.asc.md5

ant-1.8.2.pom.asc.sha1

ant-1.8.2.pom.md5

ant-1.8.2.pom.sha1

I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.

There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?

(Nexus Professional is not an option)

Thank you for help.

网友答案:

Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:

mvn com.github.s4u.plugins:pgpverify-maven-plugin:check

Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)

Or you use Maven 3.2.3 or above (with a clean repository), which uses SSL for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.

See also:

  • related Question and Answer
  • Sonatype's Blog to this topic
网友答案:

SSL access to Central is now available for a token payment. From https://blog.sonatype.com/people/2012/10/now-available-ssl-connectivity-to-central/ :

We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager.

...

In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes.

网友答案:

Could you write a bash shell script using GnuPG to verify each sig?

Something like: for x in *.jar; do gpg --verify "${x}".asc; done

Obviously you would need the public keys for all the sigs before you started.

网友答案:

Assuming you only want to download artifacts w/ valid checksums, one option would be to run the OSS version of Nexus and configure it to have a proxy of central. Then configure your settings.xml to only load from your repo (mirror tag in settings.xml). You can then configure nexus to only allow artifacts that have a valid checksum.

分享给朋友:
您可能感兴趣的文章:
随机阅读: