You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fop-dev@xmlgraphics.apache.org by Didier Schlegel <di...@bluewin.ch> on 2018/08/27 08:07:04 UTC
PGP signatures of avalon-framework
Dear FOP developers,
after reading this article
(http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/)
about cross-build injection attacks I decided to give the
pgpverify-maven-plugin
(https://www.simplify4u.org/pgpverify-maven-plugin/index.html) a try.
We use Apache FOP in our project and two transitive dependencies of FOP
2.3 did not pass the PGP verification:
- org.apache.avalon.framework:avalon-framework-api:jar:4.3.1
- org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
both retrieved from maven central
(https://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-impl/4.3.1/)
[WARNING] org.apache.avalon.framework:avalon-framework-api:jar:4.3.1 PGP
Signature ERROR
KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING
KEY) <jh...@apache.org>]
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar.asc
[WARNING] org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
PGP Signature ERROR
KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING
KEY) <jh...@apache.org>]
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar.asc
According to the pgpverify plugin these two libraries are not correctly
signed. Is there a way to replace them with a correctly signed version?
If not and if they are considered as trustful, maybe it would be better
to remove the signature file from the maven repository as it does not match.
I contacted Jorg Heymans about this and he told me to contact the cocoon
developer mailinglist. I thought I better try this list as we actually
use FOP and the Avalon-Framework is a dependency brought in by FOP.
Sincerly,
Didier Schlegel
RE: PGP signatures of avalon-framework
Posted by Simon Steiner <si...@gmail.com>.
Hi,
We don’t own avalon-framework so we can’t fix it.
Thanks
From: Didier Schlegel <di...@bluewin.ch>
Sent: 27 August 2018 09:07
To: fop-dev@xmlgraphics.apache.org
Subject: PGP signatures of avalon-framework
Dear FOP developers,
after reading this article (http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/) about cross-build injection attacks I decided to give the pgpverify-maven-plugin (https://www.simplify4u.org/pgpverify-maven-plugin/index.html) a try.
We use Apache FOP in our project and two transitive dependencies of FOP 2.3 did not pass the PGP verification:
- org.apache.avalon.framework:avalon-framework-api:jar:4.3.1
- org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
both retrieved from maven central (https://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-impl/4.3.1/)
[WARNING] org.apache.avalon.framework:avalon-framework-api:jar:4.3.1 PGP Signature ERROR
KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING KEY) <ma...@apache.org> <jh...@apache.org>]
[WARNING] C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar
[WARNING] C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar.asc
[WARNING] org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1 PGP Signature ERROR
KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING KEY) <ma...@apache.org> <jh...@apache.org>]
[WARNING] C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar
[WARNING] C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar.asc
According to the pgpverify plugin these two libraries are not correctly signed. Is there a way to replace them with a correctly signed version? If not and if they are considered as trustful, maybe it would be better to remove the signature file from the maven repository as it does not match.
I contacted Jorg Heymans about this and he told me to contact the cocoon developer mailinglist. I thought I better try this list as we actually use FOP and the Avalon-Framework is a dependency brought in by FOP.
Sincerly,
Didier Schlegel