37

I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).

The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:

ant-1.8.2.jar
ant-1.8.2.jar.asc
ant-1.8.2.jar.asc.md5
ant-1.8.2.jar.asc.sha1
ant-1.8.2.jar.md5
ant-1.8.2.jar.sha1
ant-1.8.2.pom
ant-1.8.2.pom.asc
ant-1.8.2.pom.asc.md5
ant-1.8.2.pom.asc.sha1
ant-1.8.2.pom.md5
ant-1.8.2.pom.sha1

I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.

There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?

(Nexus Professional is not an option)

Thank you for help.

Nadeem_MK
  • 7,533
  • 7
  • 50
  • 61
IgorY
  • 535
  • 4
  • 7
  • Each artifact is signed with the individual uploader's key, so I don't know that KEYS will contain them. And when registering e.g. with the Sonatype OSS server, there isn't any phase by which the uploader's PGP key is put on file. That said, I also want an answer for this. – Michael Ekstrand May 11 '13 at 23:44
  • 1
    [MNG-2477](http://jira.codehaus.org/browse/MNG-2477) is the (currently open) issue to add this functionality to Maven. – Joe Oct 08 '13 at 12:16
  • Are you using Artifactory or some like this? Is it an option? Take a look at the plugins: http://www.jfrog.com/home/v_artifactorypro_features#addon-webstart – Pmt Oct 28 '13 at 17:42

4 Answers4

10

Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check

Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)

Or you use Maven 3.2.3 or above (with a clean repository), which uses TLS for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.

See also:

Slawomir Jaranowski
  • 7,381
  • 3
  • 25
  • 33
Martin Höller
  • 2,714
  • 26
  • 44
2

Could you write a bash shell script using GnuPG to verify each sig?

Something like: for x in *.jar; do gpg --verify "${x}".asc; done

Obviously you would need the public keys for all the sigs before you started.

Geeb
  • 631
  • 8
  • 19
1

SSL access to Central is now available for a token payment. From https://blog.sonatype.com/people/2012/10/now-available-ssl-connectivity-to-central/ :

We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager.

...

In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes.

Community
  • 1
  • 1
Joe
  • 29,416
  • 12
  • 68
  • 88
  • 3
    This is/was correct but is now outdated. See Sonatype's announcement: http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/ – Martin Höller Aug 14 '14 at 07:53
1

Assuming you only want to download artifacts w/ valid checksums, one option would be to run the OSS version of Nexus and configure it to have a proxy of central. Then configure your settings.xml to only load from your repo (mirror tag in settings.xml). You can then configure nexus to only allow artifacts that have a valid checksum.

Michael
  • 6,141
  • 2
  • 20
  • 21