You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2019/12/18 12:33:00 UTC

[jira] [Resolved] (MGPG-54) Add check for use of weak private keys before signing

     [ https://issues.apache.org/jira/browse/MGPG-54?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Elliotte Rusty Harold resolved MGPG-54.
---------------------------------------
    Resolution: Won't Fix

Since there's no activity here and this issue is scheduled for autoclosure anyway, I'm going to make an opinionated call that we shouldn't fix this. The GPG plugin should support what GPG supports, no more, no less.

If anyone disagrees, feel free to reopen.

> Add check for use of weak private keys before signing
> -----------------------------------------------------
>
>                 Key: MGPG-54
>                 URL: https://issues.apache.org/jira/browse/MGPG-54
>             Project: Maven GPG Plugin
>          Issue Type: New Feature
>            Reporter: Christopher Tubbs
>            Priority: Minor
>
> I just filed MPOM-118, and was thinking that signatures on releases are also weakened by the use of weaker private keys.
> It may be possible for the plugin to validate the key to be used prior to signing, and to fail if the key is weaker than 4096-bit RSA (the current recommended minimum).
> You can see a similar check in this bash scriptlet:
> {code}
> # get default key, if it exists
> KEY=$(gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}' | cut -c2-)
> # get first secret key if default isn't set
> [[ -n $KEY ]] || KEY=$(gpg --with-colons --list-secret-key | grep ^sec | head -1 | cut -f5 -d:)
> # get bits from first RSA signing (sub)key
> BITS=$(gpg --with-colons --list-secret-key $KEY | grep -E'^(sec|ssb)(:[^:]*){2}:1(:[^:]*){7}:[^:]*s' | head -1 | cut -f3 -d:)
> # verify bits are at least 4096
> (( $BITS >= 4096 )) || exit 1
> {code}
> {{--with-colons}} provides backwards-compatible machine-parseable output predictably. Specifying the $KEY is optional. Unfortunately, the "usage" codes (field 12) to find the signing key/subkey (code "s") aren't displayed if you don't specify $KEY on the command line. So, we need to figure out the one the gpg command will select, and ask about it explicitly.
> GPG's selection method is to use the default key specified in the gpg configuration first. If that isn't set, it just uses the first secret key it finds. There's no better way to figure out which key this is other than to parse the config file. {{gpgconf}} command can help with that.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)