[
https://issues.apache.org/jira/browse/MNGSITE-334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16447376#comment-16447376
]
Karl Heinz Marbaise commented on MNGSITE-334:
---------------------------------------------
I have moved this issue to the correct location cause it belongs to our web
site and to Maven Core itself.
The first thing is that you seemed to misunderstand that the mirrors are only
for downloading the distribution but not for downloading the checksums and the
gpg keys which are only available from Apache servers (via https). Furthermore
the [download page|https://maven.apache.org/download.cgi] offers two things
with separate intentions. First the checksum and second the gpg signature and
also a link to the [documentation how to check a GPG
signature|https://www.apache.org/dev/release-signing#verifying-signature]. This
contains exactly what you call a recipe..and of course it's not easy cause
security is never easy.
So the first one (checksums) are intended to prevent download errors so you
should your download first against the checksums and second via the GPG key...
Apart from that showing the output of GPG shows that you haven't checked
against the linked KEYS of the developers with your GPG...
And finally I have to say we have changed to use sha1/sha256 checksums in the
meantime
> maven installation insecure
> ---------------------------
>
> Key: MNGSITE-334
> URL: https://issues.apache.org/jira/browse/MNGSITE-334
> Project: Maven Project Web Site
> Issue Type: Bug
> Reporter: Warren MacEvoy
> Priority: Major
>
> The recommended install suggests using an insecure mirror, and then provides
> either an md5 sum (completely insecure, broken a thousand years ago), or a
> gpg signature (99% of installers will give up on following these directions,
> since they provide incomplete instructions on how to actually do it, and it
> is not easy to do).
> Please provide a SHA256 sum with your distribution! Please remove the MD5
> sum which is dangerous (provides a false sense of security). Please provide
> a complete recipe for verifying a signature using GnuPG
> This bug affects all versions. Here is the very unsatisfying result of
> verifying using GPG:
> *gpg --verify $FILE.asc*
> gpg: assuming signed data in `apache-maven-3.5.2-bin.tar.gz'
> gpg: Signature made Wed 18 Oct 2017 01:59:56 AM MDT using DSA key ID B620D787
> gpg: Good signature from "Stephen Connolly <[email protected]>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
