Maven security (or lack thereof?)

Question

How can I be certain that if developer Alice creates and uploads maven package com.example.alice:the-greatest to maven central, and developer Bob includes that package as a dependency in their project com.example.bob:almost-as-great, Bob actually gets Alice's code, and evil genius Charlie can't modify the code somewhere in the journey between Alice and Bob? (Never mind how Charlie would actually do this; bribing someone with root@maven-central with a gazillion simoleons would do as an example)

Linux distros typically solve this problem by having Alice digitally sign the package, require that all packages in the distro are signed and distribute the signatures with the packages, so that Bob can check that the package he has received was indeed signed by Alice and not modified in transit.

I'm fairly new to maven, and apologize if this is a silly question, but none of the tons of files that have ended up in my ~/.m2 look even remotely like a .sig file or something like it.

(I asked this on #maven IRC but nobody responded.)

If you want answers ask on the users mailing list... – khmarbaise May 06 '15 at 23:29 — khmarbaise, May 06 '15 at 23:29

score 2 · Accepted Answer · edited May 23 '17 at 12:14

2

From https://maven.apache.org/guides/mini/guide-central-repository-upload.html

To improve the quality of the Central Maven repository, we require you to provide PGP signatures for all your artifacts

There's a plugin to verify the signatures: http://www.simplify4u.org/pgpverify-maven-plugin/index.html

Maven Central supports HTTPS as well

What is the correct way of forcing maven to use HTTPS for maven central?

edited May 23 '17 at 12:14

Community

1
1

answered May 06 '15 at 23:22

Neil McGuigan

46,580
12
123
152

So the chain of custody is intact from Alice to Maven central, but the default is "Charlie has free reign" unless Bob includes something special in every one of his projects? And even then, I don't see how the plugin you mention can be configured with white or black lists of allowed authors. – Johannes Ernst May 06 '15 at 23:31
P.S. Why isn't that a maven system setting, like for example `RequireSignature Always` in `/etc/pacman.conf` on Arch, or equivalent in other distros? – Johannes Ernst May 06 '15 at 23:32
@JohannesErnst you're right in that maven should verify PGP signatures by default. Perhaps you can provide a patch for them ;) In the meantime, you can DRY you config by using a Company Super POM: http://www.mosabuam.com/2009/10/company-super-pom-a-maven-practice – Neil McGuigan May 07 '15 at 00:28
1

@NeilMcGuigan It may not be as simple as that: there also needs to be a web of trust of some kind, otherwise Charlie can simply sign the changed package: the signature check passes, but it wasn't Alice's. – Johannes Ernst May 07 '15 at 03:16

Maven security (or lack thereof?)

1 Answers1