You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "John Neffenger (Jira)" <ji...@apache.org> on 2021/04/15 17:46:00 UTC

[jira] [Commented] (MNG-6026) Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)

    [ https://issues.apache.org/jira/browse/MNG-6026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17322358#comment-17322358 ] 

John Neffenger commented on MNG-6026:
-------------------------------------

??When the transport with Central became https we were freed from the man-in-the-middle attack.??

Just a reminder that HTTPS is not always encrypted end-to-end between the client and server domain. In fact, these days it's almost always not encrypted end-to-end. Any connection to a website using Cloudflare or Fastly has a _man in the middle_, along with connections from corporate networks that employ HTTPS proxy servers like _mitmproxy_. See:

* [How mitmproxy works|https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/]
* [CloudFlare, SSL and unhealthy security absolutism|https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/]

Every node that decrypts the traffic is another node that can be compromised. Only this feature will detect the tampered artifacts. We're adding this exact [Gradle feature to JavaFX builds|https://github.com/openjdk/jfx/pull/437] now, after seeing the recent supply chain attacks. I'd love to see this in Maven, too.


> Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
> -----------------------------------------------------------------------------------
>
>                 Key: MNG-6026
>                 URL: https://issues.apache.org/jira/browse/MNG-6026
>             Project: Maven
>          Issue Type: New Feature
>          Components: core
>            Reporter: Florian Schmaus
>            Priority: Major
>              Labels: artifact-verification, security
>
> The origin of this feature request is the Stackoverflow question ["Verification of dependency authenticity in Maven POM based automated build systems"|http://stackoverflow.com/a/34795359/194894], and [especially a SO user requesting me to put this up|http://stackoverflow.com/questions/3307146/verification-of-dependency-authenticy-in-maven-pom-based-automated-build-systems/34795359?noredirect=1#comment62178671_34795359].
> h2. Extend the Project Object Model (POM) with trust information (OpenPGP - RFC 4480 and hash values)
> What we need is the possibility to model a trust relation from your project or artifact to the declared dependencies. So that, if all involved parties declare such a relation, we are able to create a "chain of trust" from the root (e.g. the project) over its dependencies down to the very last transitive dependency. The Project Object Model (POM) needs to be extended by a <verification/> element for dependencies.
> h3. Current Situation
> Right now we have something like
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>4.0</version>
> </dependency>
> {code}
> h3. Hard dependencies
> For hard dependencies, <verfication/> could include the sha256sum of artifact and its POM file:
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>[4.0]</version>
>   <verification>
>     <checksum hash='sha-256'>
>       <pom>[sha256 of junit pom file]</pom>
>       <artifact>[sha256sum of artifact (junit.jar)]</artifact>
>     </checksum>
>   </verification>
> </dependency>
> {code}
> h3. Soft dependencies
> If soft. also called "ranged" or "dynamic", dependencies are used, then we could specify the public key (or multiple) of the keypair used to sign the artifacts
> {code:xml}
> <dependency>
>   <groupId>junit</groupId>
>   <artifactId>junit</artifactId>
>   <version>[4.0,4.5)</version>
>   <verification>
>     <openpgp>[secure fingerprint of OpenPGP key used to sign the junit artifact(s)]</openpgp>
>     <!-- possible further 'openpgp' elements in case the artifacts in the
>          specified version range where signed by multiple keys -->
>   </verification>
> </dependency>
> {code}
> I'm not sure if this is the right place to raise an feature request for the POM format itself. I've already tried to get in touch with the right people about this feature request, but failed. I'm willing to help designing and implementing this, but need guidance.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)