You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Alexander Kjäll (JIRA)" <ji...@apache.org> on 2016/04/17 12:14:25 UTC

[jira] [Commented] (MNG-5814) Be able to verify the pgp signature of downloaded plugins

    [ https://issues.apache.org/jira/browse/MNG-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15244612#comment-15244612 ] 

Alexander Kjäll commented on MNG-5814:
--------------------------------------


I agree on that https is a good idea, but it solves a slightly different problem, it only guards against an attacker that controls the network, not an attacker that controls the nexus server.

I agree on that the problem is how to define the identity of an artifact and the only way I can imagine for that to work securely is that the identity should be defined in the pom and checked by the code in maven.

The second solution suggestion is the approach used in the pgpverify plugin that i linked, it does it's job but it has one critical flaw. And that is that the plugin itself is downloaded through the same channel that you don't trust (as you want to verify the pgp signature). An attacker could simply replace the verification logic in the plugin with "return true".

Regarding changing the pom format in maven 4, is there an ongoing process where I can send in an suggestion, or how does it work?

> Be able to verify the pgp signature of downloaded plugins
> ---------------------------------------------------------
>
>                 Key: MNG-5814
>                 URL: https://issues.apache.org/jira/browse/MNG-5814
>             Project: Maven
>          Issue Type: Improvement
>          Components: Plugin Requests
>            Reporter: Alexander Kjäll
>              Labels: security
>
> In order to protect ourself against an attacker that can do injection attacks on our downloads we need to verify the pgp signatures of the downloaded artifacts.
> For normal dependencies this can be done with a plugin, for example this one: https://github.com/s4u/pgpverify-maven-plugin/
> But it's not possible for a plugin to verify it's own authenticity, as it was downloaded over an possible insecure channel itself.
> Therefor we need something preinstalled that verifies that the plugin we downloaded is the same one that was specified in our pom file.
> I propose that functionality is added to maven that verifies the jar and pom files against it's pgp signature files for plugins. And some sort of notation is added to the pom file so that it's possible to specify the signing key for a plugin. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)