RE: PGP signatures of avalon-framework

Tue, 28 Aug 2018 01:03:42 -0700 

Hi,

 

We don’t own avalon-framework so we can’t fix it.

 

Thanks

 

From: Didier Schlegel <didier.schle...@bluewin.ch> 
Sent: 27 August 2018 09:07
To: fop-dev@xmlgraphics.apache.org
Subject: PGP signatures of avalon-framework

 

Dear FOP developers,

after reading this article 
(http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/)
 about cross-build injection attacks I decided to give the 
pgpverify-maven-plugin 
(https://www.simplify4u.org/pgpverify-maven-plugin/index.html) a try. 

We use Apache FOP in our project and two transitive dependencies of FOP 2.3 did 
not pass the PGP verification: 
 - org.apache.avalon.framework:avalon-framework-api:jar:4.3.1 
 - org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1 
both retrieved from maven central 
(https://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-impl/4.3.1/)

[WARNING] org.apache.avalon.framework:avalon-framework-api:jar:4.3.1 PGP 
Signature ERROR 
       KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING KEY)  
<mailto:jheym...@apache.org> <jheym...@apache.org>] 
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar.asc
[WARNING] org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1 PGP 
Signature ERROR 
       KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING KEY)  
<mailto:jheym...@apache.org> <jheym...@apache.org>] 
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar.asc

According to the pgpverify plugin these two libraries are not correctly signed. 
Is there a way to replace them with a correctly signed version? If not and if 
they are considered as trustful, maybe it would be better to remove the 
signature file from the maven repository as it does not match.

I contacted Jorg Heymans about this and he told me to contact the cocoon 
developer mailinglist. I thought I better try this list as we actually use FOP 
and the Avalon-Framework is a dependency brought in by FOP.

Sincerly, 

Didier Schlegel

Reply via email to