[jira] [Comment Edited] (MNGSITE-334) maven installation insecure

["Karl Heinz Marbaise (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/MNGSITE-334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16447376#comment-16447376 ] 

Karl Heinz Marbaise edited comment on MNGSITE-334 at 4/22/18 9:27 PM:
----------------------------------------------------------------------

I have moved this issue to the correct location cause it belongs to our web site and not to Maven Core development itself.

The first thing is that you seemed to misunderstand that the mirrors are only for downloading the distribution but not for downloading the checksums and the gpg keys which are only available from Apache servers (via https). Furthermore the [download page|https://maven.apache.org/download.cgi] offers two things with separate intentions. First the checksum and second the gpg signature and also a link to the [documentation how to check a GPG signature|https://www.apache.org/dev/release-signing#verifying-signature]. This contains exactly what you call a recipe..and of course it's not easy cause security is never easy. 

So the first one (checksums) are intended to prevent download errors so you should your download first against the checksums and second via the GPG key...
Apart from that showing the output of GPG shows that you haven't checked against the linked KEYS of the developers with your GPG...

And finally I have to say we have changed to use sha1/sha256 checksums in the meantime


was (Author: khmarbaise):
I have moved this issue to the correct location cause it belongs to our web site and to Maven Core itself.

The first thing is that you seemed to misunderstand that the mirrors are only for downloading the distribution but not for downloading the checksums and the gpg keys which are only available from Apache servers (via https). Furthermore the [download page|https://maven.apache.org/download.cgi] offers two things with separate intentions. First the checksum and second the gpg signature and also a link to the [documentation how to check a GPG signature|https://www.apache.org/dev/release-signing#verifying-signature]. This contains exactly what you call a recipe..and of course it's not easy cause security is never easy. 

So the first one (checksums) are intended to prevent download errors so you should your download first against the checksums and second via the GPG key...
Apart from that showing the output of GPG shows that you haven't checked against the linked KEYS of the developers with your GPG...

And finally I have to say we have changed to use sha1/sha256 checksums in the meantime

> maven installation insecure
> ---------------------------
>
>                 Key: MNGSITE-334
>                 URL: https://issues.apache.org/jira/browse/MNGSITE-334
>             Project: Maven Project Web Site
>          Issue Type: Bug
>            Reporter:  Warren MacEvoy
>            Priority: Major
>
> The recommended install suggests using an insecure mirror, and then provides either an md5 sum (completely insecure, broken a thousand years ago), or a gpg signature (99% of installers will give up on following these directions, since they provide incomplete instructions on how to actually do it, and it is not easy to do).
> Please provide a SHA256 sum with your distribution!   Please remove the MD5 sum which is dangerous (provides a false sense of security).  Please provide a complete recipe for verifying a signature using GnuPG 
> This bug affects all versions.  Here is the very unsatisfying result of verifying using GPG:
> *gpg --verify $FILE.asc*
> gpg: assuming signed data in `apache-maven-3.5.2-bin.tar.gz'
> gpg: Signature made Wed 18 Oct 2017 01:59:56 AM MDT using DSA key ID B620D787
> gpg: Good signature from "Stephen Connolly <st...@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner. 
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)