You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cr...@apache.org on 2021/05/13 21:41:04 UTC
[sling-org-apache-sling-auth-saml2] branch
feature/check-sign-of-embedded created (now 1e530b3)
This is an automated email from the ASF dual-hosted git repository.
cris pushed a change to branch feature/check-sign-of-embedded
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-saml2.git.
at 1e530b3 Configure pgpverify-maven-plugin to verify signatures of all embedded artifacts using independently verified keys. Check signature of all other dependencies using in-band keys if available.
This branch includes the following new commits:
new 1e530b3 Configure pgpverify-maven-plugin to verify signatures of all embedded artifacts using independently verified keys. Check signature of all other dependencies using in-band keys if available.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[sling-org-apache-sling-auth-saml2] 01/01: Configure
pgpverify-maven-plugin to verify signatures of all embedded artifacts using
independently verified keys. Check signature of all other dependencies
using in-band keys if available.
Posted by cr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
cris pushed a commit to branch feature/check-sign-of-embedded
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-saml2.git
commit 1e530b36e275cc374ece174482ce07b5b03f9c78
Author: Cris Rockwell <cm...@umich.edu>
AuthorDate: Thu May 13 17:40:41 2021 -0400
Configure pgpverify-maven-plugin to verify signatures of all embedded artifacts using independently verified keys. Check signature of all other dependencies using in-band keys if available.
---
any.asc.txt | 2 +-
pom.xml | 38 +++++++++++++++++++++++++++++---------
shibboleth.asc.txt | 13 ++++++++++++-
sling.asc.txt | 40 ----------------------------------------
4 files changed, 42 insertions(+), 51 deletions(-)
diff --git a/any.asc.txt b/any.asc.txt
index 6e60f63..a418c9a 100644
--- a/any.asc.txt
+++ b/any.asc.txt
@@ -3,4 +3,4 @@
javax.inject = noSig
org.codehaus.jackson = noSig
org.ow2.asm:*:[6.0,7.2) = noSig
-net.jcip = noSig
+net.jcip = noSig
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 6d1a421..6e85468 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,27 +123,47 @@ which is licensed under the Apache-2.0 license.
</executions>
<configuration>
<keysMapLocations>
- <!-- Verify signatures of Sling Artifacts -->
- <keysMapLocation>
- <location>${project.basedir}/sling.asc.txt</location>
- </keysMapLocation>
- <!-- Verify signatures of Shibboleth and OpenSAML Artifacts -->
+ <!-- Verify Signatures of Shibboleth, OpenSAML and any other Embedded Artifacts -->
<keysMapLocation>
<location>${project.basedir}/shibboleth.asc.txt</location>
</keysMapLocation>
- <!-- for any other artifacts use signature provided in-band,
+ <!-- all other artifacts use signature provided in-band,
or configure them unsigned in any.asc.txt -->
<keysMapLocation>
<location>${project.basedir}/any.asc.txt</location>
<exclude>
- <pattern>org.apache.sling:.*</pattern>
- </exclude>
- <exclude>
<pattern>net.shibboleth.utilities:.*</pattern>
</exclude>
<exclude>
<pattern>org.opensaml:.*</pattern>
</exclude>
+ <exclude>
+ <pattern>io.dropwizard.metrics:metrics-core.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>com.google.guava:guava.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>com.google.guava:failureaccess.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.checkerframework:checker-qual.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.apache.velocity:.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>commons-lang:commons-lang.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>com.google.errorprone:error_prone_annotations.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.apache.santuario:xmlsec.*</pattern>
+ </exclude>
+ <exclude>
+ <pattern>org.cryptacular:cryptacular.*</pattern>
+ </exclude>
</keysMapLocation>
</keysMapLocations>
</configuration>
diff --git a/shibboleth.asc.txt b/shibboleth.asc.txt
index 2e76188..104be1b 100644
--- a/shibboleth.asc.txt
+++ b/shibboleth.asc.txt
@@ -22,4 +22,15 @@ org.opensaml.* = \
0x0E0CA56D354132B5E646C25F49A1796B9B494CB8, \ # putmanb@georgetown.edu
0x4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0, \ # rdw@steadingsoftware.com
0xDCAA15007BED9DE690CD9523378B845402277962, \ # cantor.2@osu.edu
- 0x796D70C89BBF8D958925F2ED277EC86A07CEEB8B # tzeller@dragonacea.biz
\ No newline at end of file
+ 0x796D70C89BBF8D958925F2ED277EC86A07CEEB8B # tzeller@dragonacea.biz
+
+# Embedded Dependencies
+io.dropwizard.metrics:metrics-core = 0x0B9236488A3B927470B4027D2FC1B61A8D1F4BB0
+com.google.guava:guava = 0xBDB5FA4FE719D787FB3D3197F6D4A1D411E9D1AE
+com.google.guava:failureaccess = 0x56ED3B4843DAACC79DE555557457CA33C3CE9E15
+org.checkerframework:checker-qual = 0x19BEAB2D799C020F17C69126B16698A4ADF4D638
+org.apache.velocity = 0xCE4439C1BEF3DA83B1832F9DBEFEEF227A98B809
+commons-lang:commons-lang = 0xD196A5E3E70732EEB2E5007F1861C322C56014B2
+com.google.errorprone:error_prone_annotations = 0x7615AD56144DF2376F49D98B1669C4BB543E0445
+org.apache.santuario:xmlsec = 0xDB45ECD19B97514F727105AE67BF80B10AD53983
+org.cryptacular:cryptacular = 0x38319E05F62674572CDF886170B2EBE96C112CC9
diff --git a/sling.asc.txt b/sling.asc.txt
deleted file mode 100644
index c671916..0000000
--- a/sling.asc.txt
+++ /dev/null
@@ -1,40 +0,0 @@
-# Sling
-org.apache.sling.* = \
- 0x2E510C7DB961B2678888347F947A0DBF7120565E, \ # amitgupt
- 0x49ECC3FCFD4CDF49F308DEC2749391D163EFCDEF, \ # andysch
- 0x5EFF256585AC5FB607F6D46A77B6B69A9E4DCC6B, \ # bdelacretaz
- 0x9E2F96C640A0731D93BF548E37F68FF5015AFC8A, \ # bdelacretaz
- 0x37764359E96FDCB167611DD1F3DE8E1B88E59E02, \ # chetanm
- 0x51E38755C6505CDD1B68AADE7E4CABC10BAE970C, \ # cris
- 0x0CB4FE7E0743AF26610898C24715DC026428BDBA, \ # chris@die-schneider.net
- 0x021752BCCC567AAAA0D33A36132E49D4E41EDC7E, \ # cziegeler
- 0x5FD5145A8BD0317A94DC77133FCF529FF2F27A06, \ # cziegeler
- 0xDDDAB16CE0FCE3A2621C2B80C7E2EC71F0584C92, \ # diru
- 0x4D78347F4F4F868D8EC2CD13F0EAC1A44C6E4124, \ # dklco
- 0x92E9F6990056E6270CE0AC06F61914D470A23041, \ # dulvac
- 0xDEC79067BD234AE7382FB8DEA05D171EA0F1173A, \ # enorman
- 0x369AF551BA81A412C3D413675E27F86EF79B7715, \ # fmeschbe
- 0x34456ED30980EAD976FA50E33C7DEF7D6A42B333, \ # ghenzler
- 0x4456E516E49A0099A5CAFE92B20D113940E47E14, \ # ieb
- 0x8311695BAFF10EA3BB29452B929EE4BE883F7D33, \ # jeb
- 0xC536C8CAA12C0CFC0DF840367D27D8A059FE68E2, \ # joerghoh
- 0x66DF1FE828890A5089146E8C2E92CD9B77F318C8, \ # jsedding
- 0xA04BC4AD36396AD5A52C8FE187DBF05A134B145C, \ # justin
- 0xB91AB7D2121DC6B0A61AA182D7742D58455ECC7C, \ # kwin
- 0xDAD17EDA7D4AFBCD80FF26E1C01B4623441E0165, \ # mpetria
- 0x22C8B59F2A5594913D8140A69645F309F79F6478, \ # mykee
- 0x4B778CBC33364EEF0713CB9808CBBC854D20BF87, \ # npeltier
- 0xCFF2A1BF15608B70F269EA803A3F9BA60E4B0826, \ # olli
- 0x3E97979229E01DFAB9774BBC9054823A859A7237, \ # pauls
- 0x713E024342DC4035115EE6DC9DDD0135964478D3, \ # radu
- 0x0A665C4670B478BF12235CCD339508654F63EC54, \ # rombert
- 0xCFC52824B67086BF2B3228C994C3410848CF8630, \ # simonetripodi
- 0xA4DED8965C2E1C818217CB91CE2B7FF675D78E92, \ # sseifert
- 0x7F2B0F91A223672CC9C110A1595CEDF18CCA28D1, \ # stefanegli
- 0x96D7CED57F1DB4F75CEEEE1D6D1F69DA6B6E60CF, \ # stefanegli
- 0xB96F4ED6841F35D34B0F002650D0BA4202A7966D, \ # stefanegli
- 0xE32D4F1022C616579157F1B11E5AB6D3CF8EBF5F, \ # thecarlhall
- 0xC1ED9FBABD1594E9C12571F54BFE914A44BD29BA, \ # tmaret
- 0x4B5B877280AF29240E45AD21B0EE689D84715909, \ # tomekr
- 0xD7DD1CAC3361852FDCBEDB1BDC7BF9853C1E73F8 # tommaso
-