Hello Vladimir,
JMeter user SHA512 (since 2017) and follow the requirement from ASF:
http://www.apache.org/dev/release-distribution#sigs-and-sums
You can check the JMeter distribution with the ASF Checker, that check
the PGP sign And the SHA512 checksum:
https://checker.apache.org/projs/jmeter.html
I suppose that we can do the same things to check the jar files used by
JMeter (i.e. check the PGP signs and the SHA checksum).
Milamber
On 07/08/2019 14:02, Vladimir Sitnikov wrote:
Hi,
Historically JMeter build used SHA512 for verification of the dependencies.
I wonder what if we use PGP-based verification instead.
Would you consider "trust org.apache.bcel dependency if it is signed by
86fdc7e2a11262cb" good enough?
Rough estimation shows that we have ~180 dependencies
And we miss signatures for ~30 of them (see below).
What do you think if we use "dependency verification" in a form of
87a7f75a6a8ba5fc org.apache.activemq
86fdc7e2a11262cb org.apache.bcel
3faad2cd5ecbb314 org.apache.commons
64a16faaec16a4be org.apache.commons
?
In other words "trust dependency
org.apache.commons:<any-module>:<any-version> if it is signed by
3faad2cd5ecbb314 or 64a16faaec16a4be PGP key"
That would simplify library upgrades since the library is often released by
a finite set of PGP keys.
I think behind the lines of (see
https://github.com/vlsi/vlsi-release-plugins/issues/9 )
<dependency-verification>
<trusted-keys>
<!-- Trust artifacts for org.jetbrains.** if they are signed by
bcf4173966770193 -->
<key id="bcf4173966770193" group="org.jetbrains"/>
<!-- Trust artifacts for org.jetbrains.intellij.deps.** if they are
signed by 379ce192d401ab61 -->
<key id="379ce192d401ab61" group="org.jetbrains.intellij.deps"/>
</trusted-keys>
<dependencies>
<!-- Trust the specific module if it is signed by one of the two
keys OR
if is has one of the two checksums -->
<dependency group="com.android.tools" module="dvlib"
version="24.0.0">
<sha512>BF96E53408EAEC8E366F50E0125D6E7E072400887C03EC3C7E8C0B4C9267E5E5B4C0BB2D1FA3355B878DFCEE9334FB145AC38E3CD54D869D9F5283145169DECF</sha512>
<sha512>239789823479823497823497234978</sha512>
<pgp>ac214caa0612b399</pgp>
<pgp>bcf4173966770193</pgp>
</dependency>
</dependencies>
</dependency-verification>
Missing PGP 31 signatures.
I have created ASM issue to add PGP:
https://gitlab.ow2.org/asm/asm/issues/317878
Similar issues can be created for most of the rest dependencies.
antlr:antlr:[email protected]
bsf:bsf:[email protected]
com.github.bulenkov.darcula:darcula:[email protected]
com.github.vlsi.gradle:crlf-plugin:[email protected]
com.github.vlsi.gradle:ide-plugin:[email protected]
com.github.vlsi.gradle:license-gather-plugin:[email protected]
com.github.vlsi.gradle:stage-vote-release-plugin:[email protected]
commons-logging:commons-logging:[email protected]
de.marcphilipp.gradle:nexus-publish-plugin:[email protected]
gradle.plugin.com.github.spotbugs:spotbugs-gradle-plugin:[email protected]
gradle.plugin.org.jetbrains.gradle.plugin.idea-ext:gradle-idea-ext:[email protected]
net.jcip:jcip-annotations:[email protected]
net.sf.ezmorph:ezmorph:[email protected]
net.sf.json-lib:json-lib:2.3:[email protected]
org.codehaus.groovy.modules.http-builder:http-builder:[email protected]
org.nosphere.apache:creadur-rat-gradle:[email protected]
org.ow2.asm:asm-analysis:[email protected]
org.ow2.asm:asm-analysis:[email protected]
org.ow2.asm:asm-commons:[email protected]
org.ow2.asm:asm-commons:[email protected]
org.ow2.asm:asm-tree:[email protected]
org.ow2.asm:asm-tree:[email protected]
org.ow2.asm:asm-util:[email protected]
org.ow2.asm:asm:[email protected]
org.ow2.asm:asm:[email protected]
org.ow2.asm:asm:[email protected]
oro:oro:[email protected]
xerces:xercesImpl:[email protected]
xml-resolver:xml-resolver:[email protected]
xmlpull:xmlpull:[email protected]
xpp3:xpp3_min:[email protected]
Vladimir
