PGP Signature of Artifacts Validation

[Chad La Joie <ch...@switch.ch>]

I know about, and use, the plugin for creating PGP signatures of 
artifacts.  Is there a mechanism to validate the signatures of incoming 
dependencies?
-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie@switch.ch, http://www.switch.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: PGP Signature of Artifacts Validation

[Chad La Joie <ch...@switch.ch>]

Wendy Smoak wrote:
> On Wed, Apr 23, 2008 at 12:29 PM, Chad La Joie <ch...@switch.ch> wrote:
>> I know about, and use, the plugin for creating PGP signatures of artifacts.
>> Is there a mechanism to validate the signatures of incoming dependencies?
> 
> Not at present.  The first thing I'd like to see is a goal added to
> the plugin that can check the signature for a single artifact.

Yep, agreed.

> Checking signatures as artifacts are proxied is also a good feature
> for a repository manager.  I know we've talked about it for Archiva.

Also agree.

> Do you have an opinion on where the signature file ought to come from?

In our projects (e.g. [1]) I upload the signatures to our repository, 
just like the MD5/SHA-1 hashes (which I have a question about but will 
send in another email).  My understanding was that Maven was checking 
these hashes when it pulled down the dependency.  Assuming my 
understanding is correct, it seemed reasonable that it might check the 
signature in the same manner.

>  I've collected two opinions, one that the signature should only be
> downloaded from a trusted source (even if the artifact comes from a
> mirror,) and the other that it doesn't matter because you'd use the
> web of trust built up by cross-signed keys to determine whether or not
> to accept the artifact.

I work on a project where signature validation and trust of the 
validating credential are completely separate concerns.  So, for me, the 
second option seems like the only reasonable approach.  I don't think 
you can "trust" anything just because of where it comes from.

[1] 
http://shibboleth.internet2.edu/downloads/maven2/org/opensaml/xmltooling/1.0.1

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad.lajoie@switch.ch, http://www.switch.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: PGP Signature of Artifacts Validation

[Wendy Smoak <ws...@gmail.com>]

On Wed, Apr 23, 2008 at 12:29 PM, Chad La Joie <ch...@switch.ch> wrote:
> I know about, and use, the plugin for creating PGP signatures of artifacts.
> Is there a mechanism to validate the signatures of incoming dependencies?

Not at present.  The first thing I'd like to see is a goal added to
the plugin that can check the signature for a single artifact.

Checking signatures as artifacts are proxied is also a good feature
for a repository manager.  I know we've talked about it for Archiva.

Do you have an opinion on where the signature file ought to come from?
 I've collected two opinions, one that the signature should only be
downloaded from a trusted source (even if the artifact comes from a
mirror,) and the other that it doesn't matter because you'd use the
web of trust built up by cross-signed keys to determine whether or not
to accept the artifact.

-- 
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org