You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Christopher Tubbs (JIRA)" <ji...@apache.org> on 2016/05/11 16:18:12 UTC
[jira] [Created] (MGPG-54) Add check for use of weak private keys
before signing
Christopher Tubbs created MGPG-54:
-------------------------------------
Summary: Add check for use of weak private keys before signing
Key: MGPG-54
URL: https://issues.apache.org/jira/browse/MGPG-54
Project: Maven GPG Plugin
Issue Type: New Feature
Reporter: Christopher Tubbs
Priority: Minor
I just filed MPOM-118, and was thinking that signatures on releases are also weakened by the use of weaker private keys.
It may be possible for the plugin to validate the key to be used prior to signing, and to fail if the key is weaker than 4096-bit RSA (the current recommended minimum).
You can see a similar check in this bash scriptlet:
{code}
# get default key, if it exists
KEY=$(gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}' | cut -c2-)
# get first secret key if default isn't set
[[ -n $KEY ]] || KEY=$(gpg --with-colons --list-secret-key | grep ^sec | head -1 | cut -f5 -d:)
# get bits from first RSA signing (sub)key
BITS=$(gpg --with-colons --list-secret-key $KEY | grep -E'^(sec|ssb)(:[^:]*){2}:1(:[^:]*){7}:[^:]*s' | head -1 | cut -f3 -d:)
# verify bits are at least 4096
(( $BITS >= 4096 )) || exit 1
{code}
{{--with-colons}} provides backwards-compatible machine-parseable output predictably. Specifying the $KEY is optional. Unfortunately, the "usage" codes (field 12) to find the signing key/subkey (code "s") aren't displayed if you don't specify $KEY on the command line. So, we need to figure out the one the gpg command will select, and ask about it explicitly.
GPG's selection method is to use the default key specified in the gpg configuration first. If that isn't set, it just uses the first secret key it finds. There's no better way to figure out which key this is other than to parse the config file. {{gpgconf}} command can help with that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)