Hi Didier,
The Avalon project (http://avalon.apache.org) is dead since 2004 and has
moved to the Attic.
It's very unlikely that there will ever be a new release.
I just tested with the mentioned jar, and it seems that the signature is
indeed invalid.
BTW, Maven Central also hosts other avalon-framework versions, which are
unsigned.
And I also found well-signed versions at
http://archive.apache.org/dist/excalibur/avalon-framework/binaries/, but
it's not exactly the same version.
Moreover, from what I found in the public Apache SVN repos, it seems
that the 4.3.1 version only exist in a "excalibur-first-maven2-release"
tag, maybe meaning that this version has been built only to be present
on Maven Central.
In any case, here at Cocoon, we don't maintain this library, we only use it.
Cédric
Le 26/09/2018 à 11:32, Didier Schlegel a écrit :
Dear developers,
after reading this article
(http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/)
about cross-build injection attacks I decided to give the
pgpverify-maven-plugin
(https://www.simplify4u.org/pgpverify-maven-plugin/index.html) a try.
We use Apache FOP in our project and two transitive dependencies of
FOP 2.3 did not pass the PGP verification:
- org.apache.avalon.framework:avalon-framework-api:jar:4.3.1
- org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
both retrieved from maven central
(https://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-impl/4.3.1/)
[WARNING] org.apache.avalon.framework:avalon-framework-api:jar:4.3.1
PGP Signature ERROR
KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING
KEY) <jheym...@apache.org>]
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar.asc
[WARNING] org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
PGP Signature ERROR
KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING
KEY) <jheym...@apache.org>]
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar
[WARNING]
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar.asc
According to the pgpverify plugin these two libraries are not
correctly signed. Is there a way to replace them with a correctly
signed version? If not and if they are considered as trustful, maybe
it would be better to remove the signature file from the maven
repository as it does not match.
I contacted Jorg Heymans about this and he told me to contact this
cocoon developer mailinglist.
Sincerly,
Didier Schlegel
--
Cédric Damioli
CMS - Java - Open Source
www.ametys.org
