You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by Vladimir Sitnikov <si...@gmail.com> on 2019/08/07 13:02:43 UTC
Dependency checksum verification vs PGP-based verification
Hi,
Historically JMeter build used SHA512 for verification of the dependencies.
I wonder what if we use PGP-based verification instead.
Would you consider "trust org.apache.bcel dependency if it is signed by
86fdc7e2a11262cb" good enough?
Rough estimation shows that we have ~180 dependencies
And we miss signatures for ~30 of them (see below).
What do you think if we use "dependency verification" in a form of
87a7f75a6a8ba5fc org.apache.activemq
86fdc7e2a11262cb org.apache.bcel
3faad2cd5ecbb314 org.apache.commons
64a16faaec16a4be org.apache.commons
?
In other words "trust dependency
org.apache.commons:<any-module>:<any-version> if it is signed by
3faad2cd5ecbb314 or 64a16faaec16a4be PGP key"
That would simplify library upgrades since the library is often released by
a finite set of PGP keys.
I think behind the lines of (see
https://github.com/vlsi/vlsi-release-plugins/issues/9 )
<dependency-verification>
<trusted-keys>
<!-- Trust artifacts for org.jetbrains.** if they are signed by
bcf4173966770193 -->
<key id="bcf4173966770193" group="org.jetbrains"/>
<!-- Trust artifacts for org.jetbrains.intellij.deps.** if they are
signed by 379ce192d401ab61 -->
<key id="379ce192d401ab61" group="org.jetbrains.intellij.deps"/>
</trusted-keys>
<dependencies>
<!-- Trust the specific module if it is signed by one of the two
keys OR
if is has one of the two checksums -->
<dependency group="com.android.tools" module="dvlib"
version="24.0.0">
<sha512>BF96E53408EAEC8E366F50E0125D6E7E072400887C03EC3C7E8C0B4C9267E5E5B4C0BB2D1FA3355B878DFCEE9334FB145AC38E3CD54D869D9F5283145169DECF</sha512>
<sha512>239789823479823497823497234978</sha512>
<pgp>ac214caa0612b399</pgp>
<pgp>bcf4173966770193</pgp>
</dependency>
</dependencies>
</dependency-verification>
Missing PGP 31 signatures.
I have created ASM issue to add PGP:
https://gitlab.ow2.org/asm/asm/issues/317878
Similar issues can be created for most of the rest dependencies.
antlr:antlr:2.7.7@jar.asc
bsf:bsf:2.4.0@jar.asc
com.github.bulenkov.darcula:darcula:e208efb96f70e4be9dc362fbb46f6e181ef501dd@jar.asc
com.github.vlsi.gradle:crlf-plugin:1.17.0@jar.asc
com.github.vlsi.gradle:ide-plugin:1.17.0@jar.asc
com.github.vlsi.gradle:license-gather-plugin:1.17.0@jar.asc
com.github.vlsi.gradle:stage-vote-release-plugin:1.17.0@jar.asc
commons-logging:commons-logging:1.0.4@jar.asc
de.marcphilipp.gradle:nexus-publish-plugin:0.2.0@jar.asc
gradle.plugin.com.github.spotbugs:spotbugs-gradle-plugin:1.6.10@jar.asc
gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext:0.5@jar.asc
net.jcip:jcip-annotations:1.0@jar.asc
net.sf.ezmorph:ezmorph:1.0.6@jar.asc
net.sf.json-lib:json-lib:2.3:jdk15@jar.asc
org.codehaus.groovy.modules.http-builder:http-builder:0.7.1@jar.asc
org.nosphere.apache:creadur-rat-gradle:0.5.0@jar.asc
org.ow2.asm:asm-analysis:6.2.1@jar.asc
org.ow2.asm:asm-analysis:7.0@jar.asc
org.ow2.asm:asm-commons:6.2.1@jar.asc
org.ow2.asm:asm-commons:7.0@jar.asc
org.ow2.asm:asm-tree:6.2.1@jar.asc
org.ow2.asm:asm-tree:7.0@jar.asc
org.ow2.asm:asm-util:7.0@jar.asc
org.ow2.asm:asm:6.2.1@jar.asc
org.ow2.asm:asm:7.0@jar.asc
org.ow2.asm:asm:7.1@jar.asc
oro:oro:2.0.8@jar.asc
xerces:xercesImpl:2.9.1@jar.asc
xml-resolver:xml-resolver:1.2@jar.asc
xmlpull:xmlpull:1.1.3.1@jar.asc
xpp3:xpp3_min:1.1.4c@jar.asc
Vladimir
Re: Dependency checksum verification vs PGP-based verification
Posted by Vladimir Sitnikov <si...@gmail.com>.
>and follow the requirement from ASF:
I mean verification of dependencies at the build time.
I don't think ASF has a requirement to validate dependencies.
Vladimir
Re: Dependency checksum verification vs PGP-based verification
Posted by Milamber <mi...@apache.org>.
Hello Vladimir,
JMeter user SHA512 (since 2017) and follow the requirement from ASF:
http://www.apache.org/dev/release-distribution#sigs-and-sums
You can check the JMeter distribution with the ASF Checker, that check
the PGP sign And the SHA512 checksum:
https://checker.apache.org/projs/jmeter.html
I suppose that we can do the same things to check the jar files used by
JMeter (i.e. check the PGP signs and the SHA checksum).
Milamber
On 07/08/2019 14:02, Vladimir Sitnikov wrote:
> Hi,
>
> Historically JMeter build used SHA512 for verification of the dependencies.
>
> I wonder what if we use PGP-based verification instead.
> Would you consider "trust org.apache.bcel dependency if it is signed by
> 86fdc7e2a11262cb" good enough?
>
> Rough estimation shows that we have ~180 dependencies
> And we miss signatures for ~30 of them (see below).
>
> What do you think if we use "dependency verification" in a form of
> 87a7f75a6a8ba5fc org.apache.activemq
> 86fdc7e2a11262cb org.apache.bcel
> 3faad2cd5ecbb314 org.apache.commons
> 64a16faaec16a4be org.apache.commons
> ?
>
> In other words "trust dependency
> org.apache.commons:<any-module>:<any-version> if it is signed by
> 3faad2cd5ecbb314 or 64a16faaec16a4be PGP key"
> That would simplify library upgrades since the library is often released by
> a finite set of PGP keys.
>
> I think behind the lines of (see
> https://github.com/vlsi/vlsi-release-plugins/issues/9 )
>
> <dependency-verification>
> <trusted-keys>
> <!-- Trust artifacts for org.jetbrains.** if they are signed by
> bcf4173966770193 -->
> <key id="bcf4173966770193" group="org.jetbrains"/>
> <!-- Trust artifacts for org.jetbrains.intellij.deps.** if they are
> signed by 379ce192d401ab61 -->
> <key id="379ce192d401ab61" group="org.jetbrains.intellij.deps"/>
> </trusted-keys>
> <dependencies>
> <!-- Trust the specific module if it is signed by one of the two
> keys OR
> if is has one of the two checksums -->
> <dependency group="com.android.tools" module="dvlib"
> version="24.0.0">
>
> <sha512>BF96E53408EAEC8E366F50E0125D6E7E072400887C03EC3C7E8C0B4C9267E5E5B4C0BB2D1FA3355B878DFCEE9334FB145AC38E3CD54D869D9F5283145169DECF</sha512>
> <sha512>239789823479823497823497234978</sha512>
> <pgp>ac214caa0612b399</pgp>
> <pgp>bcf4173966770193</pgp>
> </dependency>
> </dependencies>
> </dependency-verification>
>
>
> Missing PGP 31 signatures.
> I have created ASM issue to add PGP:
> https://gitlab.ow2.org/asm/asm/issues/317878
> Similar issues can be created for most of the rest dependencies.
>
> antlr:antlr:2.7.7@jar.asc
> bsf:bsf:2.4.0@jar.asc
>
> com.github.bulenkov.darcula:darcula:e208efb96f70e4be9dc362fbb46f6e181ef501dd@jar.asc
> com.github.vlsi.gradle:crlf-plugin:1.17.0@jar.asc
> com.github.vlsi.gradle:ide-plugin:1.17.0@jar.asc
> com.github.vlsi.gradle:license-gather-plugin:1.17.0@jar.asc
> com.github.vlsi.gradle:stage-vote-release-plugin:1.17.0@jar.asc
> commons-logging:commons-logging:1.0.4@jar.asc
> de.marcphilipp.gradle:nexus-publish-plugin:0.2.0@jar.asc
> gradle.plugin.com.github.spotbugs:spotbugs-gradle-plugin:1.6.10@jar.asc
>
> gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext:0.5@jar.asc
> net.jcip:jcip-annotations:1.0@jar.asc
> net.sf.ezmorph:ezmorph:1.0.6@jar.asc
> net.sf.json-lib:json-lib:2.3:jdk15@jar.asc
> org.codehaus.groovy.modules.http-builder:http-builder:0.7.1@jar.asc
> org.nosphere.apache:creadur-rat-gradle:0.5.0@jar.asc
> org.ow2.asm:asm-analysis:6.2.1@jar.asc
> org.ow2.asm:asm-analysis:7.0@jar.asc
> org.ow2.asm:asm-commons:6.2.1@jar.asc
> org.ow2.asm:asm-commons:7.0@jar.asc
> org.ow2.asm:asm-tree:6.2.1@jar.asc
> org.ow2.asm:asm-tree:7.0@jar.asc
> org.ow2.asm:asm-util:7.0@jar.asc
> org.ow2.asm:asm:6.2.1@jar.asc
> org.ow2.asm:asm:7.0@jar.asc
> org.ow2.asm:asm:7.1@jar.asc
> oro:oro:2.0.8@jar.asc
> xerces:xercesImpl:2.9.1@jar.asc
> xml-resolver:xml-resolver:1.2@jar.asc
> xmlpull:xmlpull:1.1.3.1@jar.asc
> xpp3:xpp3_min:1.1.4c@jar.asc
>
> Vladimir
>