0

Can someone please tell me what are the available options to verify the pgp signatures in maven dependencies in a product build environment? When I was investigating on this problem, I encountered this article which explains a solutions for this problem but those options requires manual involvement one way or another when verifying the signature.

Even though pgpverify-maven-plugin is built to fulfill this requirement, without manually defining the trusted public fingerprints in key-map in pgpverify plugin, we will not be able to fully trust the verification results comes from the pgpverify plugin (correct me if I am wrong)

So my questions are,

  1. Do we have any alternatives to achieve fully automated verification for maven dependencies?

  2. with the current behavior of maven repo, pgpverify plugin is the best solution we can rely on? don't we have any paid solution to get this done (I looked into Nexus but could not find one. Nexus signature verification is somewhat similar to pgpverify plugin)?

  3. Why maven repository does not have a central key to verify all the dependencies uploaded into maven central just like npm registry?

seenukarthi
  • 8,241
  • 10
  • 47
  • 68
yello_flash
  • 21
  • 1
  • 4
  • 1): simple answer no. 2). Simple answer no. Paid solution? Maven is an open source project (100%). 3) If there would exist such central key the key itself would become useless. The idea of a gpg key is to sign each artifact by a particular person. (In npm there had been a lot of issues related to that). Can you explain what you like to achieve by checking the signature? – khmarbaise Feb 24 '22 at 06:26
  • @khmarbaise verifying the signature I can get to know that the downloaded artifact is altered or not. but how do I verify the origin of the artifact? the one who signed the artifact is the real developer or not? that is the part I am worried. As of now that part is handled via pgpverify-maven-plugin and their key map. However it is a manual method. That is why I checked whether there is a way to automate it. – yello_flash Feb 28 '22 at 09:49
  • To check if an artifacts is changed during the download the hashes (md5 and sha1) are the correct way to go. That means turn on checksum policy (https://blog.soebes.de/blog/2018/10/13/maven-artifact-checksums-what/) So checking the gpg part means you have to have a source of truth about the gpg signing keys (in the end the fingerprints which you trust). And furthermore what is a realy developer? And in the end manual process/method. – khmarbaise Feb 28 '22 at 13:31
  • **real developer** - the person who really owns the maven plugin. legitimate owner of an maven plugin. **manual process/method** - in pgpverify plugin, all the trusted fingerprints should be manually listed. I am asking without doing that, is there any place we can get a trusted fingerprint list. then I don't have to list down new fingerprints when I onboard new maven dependency. pgpverify can directly check that predefined list and confirm the validity of the maven dependency – yello_flash Mar 01 '22 at 12:41
  • `the person who really owns the maven plugin` usually not a single developer owns a plugin... maybe a team of devs. For some plugins it's true but not for all...also the question: `legitimate owner of an maven plugin.` ??? – khmarbaise Mar 02 '22 at 15:41

0 Answers0