Hi, Historically JMeter build used SHA512 for verification of the dependencies.
I wonder what if we use PGP-based verification instead. Would you consider "trust org.apache.bcel dependency if it is signed by 86fdc7e2a11262cb" good enough? Rough estimation shows that we have ~180 dependencies And we miss signatures for ~30 of them (see below). What do you think if we use "dependency verification" in a form of 87a7f75a6a8ba5fc org.apache.activemq 86fdc7e2a11262cb org.apache.bcel 3faad2cd5ecbb314 org.apache.commons 64a16faaec16a4be org.apache.commons ? In other words "trust dependency org.apache.commons:<any-module>:<any-version> if it is signed by 3faad2cd5ecbb314 or 64a16faaec16a4be PGP key" That would simplify library upgrades since the library is often released by a finite set of PGP keys. I think behind the lines of (see https://github.com/vlsi/vlsi-release-plugins/issues/9 ) <dependency-verification> <trusted-keys> <!-- Trust artifacts for org.jetbrains.** if they are signed by bcf4173966770193 --> <key id="bcf4173966770193" group="org.jetbrains"/> <!-- Trust artifacts for org.jetbrains.intellij.deps.** if they are signed by 379ce192d401ab61 --> <key id="379ce192d401ab61" group="org.jetbrains.intellij.deps"/> </trusted-keys> <dependencies> <!-- Trust the specific module if it is signed by one of the two keys OR if is has one of the two checksums --> <dependency group="com.android.tools" module="dvlib" version="24.0.0"> <sha512>BF96E53408EAEC8E366F50E0125D6E7E072400887C03EC3C7E8C0B4C9267E5E5B4C0BB2D1FA3355B878DFCEE9334FB145AC38E3CD54D869D9F5283145169DECF</sha512> <sha512>239789823479823497823497234978</sha512> <pgp>ac214caa0612b399</pgp> <pgp>bcf4173966770193</pgp> </dependency> </dependencies> </dependency-verification> Missing PGP 31 signatures. I have created ASM issue to add PGP: https://gitlab.ow2.org/asm/asm/issues/317878 Similar issues can be created for most of the rest dependencies. antlr:antlr:[email protected] bsf:bsf:[email protected] com.github.bulenkov.darcula:darcula:[email protected] com.github.vlsi.gradle:crlf-plugin:[email protected] com.github.vlsi.gradle:ide-plugin:[email protected] com.github.vlsi.gradle:license-gather-plugin:[email protected] com.github.vlsi.gradle:stage-vote-release-plugin:[email protected] commons-logging:commons-logging:[email protected] de.marcphilipp.gradle:nexus-publish-plugin:[email protected] gradle.plugin.com.github.spotbugs:spotbugs-gradle-plugin:[email protected] gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext:[email protected] net.jcip:jcip-annotations:[email protected] net.sf.ezmorph:ezmorph:[email protected] net.sf.json-lib:json-lib:2.3:[email protected] org.codehaus.groovy.modules.http-builder:http-builder:[email protected] org.nosphere.apache:creadur-rat-gradle:[email protected] org.ow2.asm:asm-analysis:[email protected] org.ow2.asm:asm-analysis:[email protected] org.ow2.asm:asm-commons:[email protected] org.ow2.asm:asm-commons:[email protected] org.ow2.asm:asm-tree:[email protected] org.ow2.asm:asm-tree:[email protected] org.ow2.asm:asm-util:[email protected] org.ow2.asm:asm:[email protected] org.ow2.asm:asm:[email protected] org.ow2.asm:asm:[email protected] oro:oro:[email protected] xerces:xercesImpl:[email protected] xml-resolver:xml-resolver:[email protected] xmlpull:xmlpull:[email protected] xpp3:xpp3_min:[email protected] Vladimir
