Hi
The attack scenario that I'm trying to guard against is the following:
Stopping an attacker that manages to exploit the our nexus server from
being able to run arbitrary code on all the build servers and developer
machines in our organization.
best regards
Alexander Kjäll
On 06. des.
What real problem is behind your question?
Are you running any tool which has a problem with signatures in Nexus or
the development process in your company has a problem?
The MD5 is not security nothing but verification of deployed artifact is
identical binary you have downloaded from Nexus, and
This is a a good idea, and a hash it would serve roughly as good as
specifying the key i think, it would maybe even be better since it's
easier to generate a hash.
It might be wise to plan for the future, as what ever hash algorithm
that is considered best practice today will be broken and
From: Bernd Eckenfels <e...@zusammenkunft.net>
Sent: Monday, December 5, 2016 5:10 PM
To: Maven Developers List
Subject: Re: Taking Security Seriously
Having artifact checksums (hashes not signatures) in POM dependency
declarations would b
Having artifact checksums (hashes not signatures) in POM dependency
declarations would be cool, but that is not what .md5 or .asc is used for.
Gruss
Bernd
--
http://bernd.eckenfels.net
On Mon, Dec 5, 2016 at 10:45 PM +0100, "Alexander Kjäll"
wrote:
Maybe we are talking about different attack scenarios?
The vector I would like to protect against is that someone is able to
inject false binaries in a caching nexus server (or over the network
if https is not used).
The way I envision the trust to be established is:
The developer goes either
I fear the proposed change would not improve security but lower it:
if the pom contains the reference to a key "to be used to sign the artifact",
anybody wanting to change the content will just change the key reference to a
value it owns
yes, knowing which keys you should trust to sign which
Regarding verifying the gpg signature, as a contributor to the gpg
verify plugin here:
http://www.simplify4u.org/pgpverify-maven-plugin/index.html
I have some thoughts on why the current infrastructure doesn't really
help us to verify the signatures in practice:
1) Very hard to know what
AFAIK, checksums are there only to avoid stupid download/upload distorsion.
What gives real security is *signature* done by developers, ie .asc files, that
use other hash algorithms than these little .md5 and .sha1 files.
That's why we recommend to verify *the signature* [1].
Another topic:
My view is that the artifact checksums deployed have nothing to do with
security, but just a way for Maven to verify that the download was ok. It's
not verifying that it's the *correct* (valid) artifact that was downloaded.
The apache link you're refering to talks about release signatures, not
Hiya,
So currently checksum's are not generated by default... I've submitted
a ticket which switched the install plugin to generate them by
default.
Next step stop using md5 which most have considered dead for several
years, and checking apache
(https://www.apache.org/dev/release-signing.html)
11 matches
Mail list logo