You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Alexander Kjäll (JIRA)" <ji...@apache.org> on 2015/04/28 21:23:07 UTC
[jira] [Updated] (MNG-5814) Be able to verify the pgp signature of
downloaded plugins
[ https://issues.apache.org/jira/browse/MNG-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Kjäll updated MNG-5814:
---------------------------------
Issue Type: Improvement (was: Bug)
> Be able to verify the pgp signature of downloaded plugins
> ---------------------------------------------------------
>
> Key: MNG-5814
> URL: https://issues.apache.org/jira/browse/MNG-5814
> Project: Maven
> Issue Type: Improvement
> Components: Plugin Requests
> Reporter: Alexander Kjäll
> Labels: security
>
> In order to protect ourself against an attacker that can do injection attacks on our downloads we need to verify the pgp signatures of the downloaded artifacts.
> For normal dependencies this can be done with a plugin, for example this one: https://github.com/s4u/pgpverify-maven-plugin/
> But it's not possible for a plugin to verify it's own authenticity, as it was downloaded over an possible insecure channel itself.
> Therefor we need something preinstalled that verifies that the plugin we downloaded is the same one that was specified in our pom file.
> I propose that functionality is added to maven that verifies the jar and pom files against it's pgp signature files for plugins. And some sort of notation is added to the pom file so that it's possible to specify the signing key for a plugin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)