Also verify the pgp signatures of maven plugins

[alexanderkjall]

Another attack vector would be to inject a fake version of a maven plugin that the build uses.

Would it be possible to verify the asc files of the maven plugins that are downloaded?

[alexanderkjall]

After thinking some more on this I realize that this is maybe functionality that needs to be in maven itself, as someone could just inject a fake version of this plugin itself.

Could still be somewhat useful, if you have this functionality you only need to verify this plugin manually, and this plugin will then verify the rest of the build.

[alexanderkjall]

I opened an issue with maven itself: https://issues.apache.org/jira/browse/MNG-5814 as this is something that's impossible to do with a plugin.

[netmackan]

I have started to consider a different approach to solve the insecure downloads of plugins (and other artifacts) issue:
https://github.com/netmackan/java-binrepo-proxy/
Any feedback is welcome and possible collaboration with this project as well.

[alexanderkjall]

I created a bug about this problem in the maven bug tracker a long time
ago: https://issues.apache.org/jira/browse/MNG-5814

I haven't followed that up.

I'll think about your design a bit, my initial gut feeling is that it
should be safe.

//Alex

2016-04-17 10:14 GMT+02:00 Markus notifications@github.com:

I have started to consider a different approach to solve the insecure
downloads of plugins (and other artifacts) issue:
https://github.com/netmackan/java-binrepo-proxy/
Any feedback is welcome and possible collaboration with this project as
well.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#5 (comment)

[exabrial]

I'm curious to hear what your currents thoughts are on this! I'd love to have my code built by code that's fully signed soup-to-nuts! thanks

[slawekjaranowski]

thx to @cobratbq