Alexander Kjäll created MNG-5814:
------------------------------------
Summary: Be able to verify the pgp signature of downloaded plugins
Key: MNG-5814
URL: https://issues.apache.org/jira/browse/MNG-5814
Project: Maven
Issue Type: Bug
Components: Plugin Requests
Reporter: Alexander Kjäll
In order to protect ourself against an attacker that can do injection attacks
on our downloads we need to verify the pgp signatures of the downloaded
artifacts.
For normal dependencies this can be done with a plugin, for example this one:
https://github.com/s4u/pgpverify-maven-plugin/
But it's not possible for a plugin to verify it's own authenticity, as it was
downloaded over an possible insecure channel itself.
Therefor we need something preinstalled that verifies that the plugin we
downloaded is the same one that was specified in our pom file.
I propose that functionality is added to maven that verifies the jar and pom
files against it's pgp signature files for plugins. And some sort of notation
is added to the pom file so that it's possible to specify the signing key for a
plugin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
