[
https://issues.apache.org/jira/browse/MNG-5814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482040#comment-16482040
]
Sytze van Koningsveld commented on MNG-5814:
--------------------------------------------
Maven, being a core component of build infra for many organisations, should be
as secure by default as possible. It should check pgp signature if present,
then sha and md5 checksums out the box and fail on deviations. I think this
issue deservesm uch more attention..
> Be able to verify the pgp signature of downloaded plugins
> ---------------------------------------------------------
>
> Key: MNG-5814
> URL: https://issues.apache.org/jira/browse/MNG-5814
> Project: Maven
> Issue Type: Improvement
> Components: Plugin Requests
> Reporter: Alexander Kjäll
> Priority: Major
> Labels: security
>
> In order to protect ourself against an attacker that can do injection attacks
> on our downloads we need to verify the pgp signatures of the downloaded
> artifacts.
> For normal dependencies this can be done with a plugin, for example this one:
> https://github.com/s4u/pgpverify-maven-plugin/
> But it's not possible for a plugin to verify it's own authenticity, as it was
> downloaded over an possible insecure channel itself.
> Therefor we need something preinstalled that verifies that the plugin we
> downloaded is the same one that was specified in our pom file.
> I propose that functionality is added to maven that verifies the jar and pom
> files against it's pgp signature files for plugins. And some sort of notation
> is added to the pom file so that it's possible to specify the signing key for
> a plugin.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
