当前位置: 文江博客 话题详情

基于 Maven POM 的自动化构建系统中依赖真实性验证

发布于 2024-09-11 09:43:18 字数 676 浏览 5 评论 0 原文

我刚刚被指出一篇非常有趣的文章 (已存档)有关安全问题被称为 交叉构建注入 (XBI)。基本上,这是走私不良代码的一个奇特名称 通过自动构建系统(例如 ant、maven 或 ivy)在构建时将其集成到应用程序中。

这个问题可以通过引入依赖项的加密签名验证来缓解,因为它目前在许多操作系统中用于下载包。

需要明确的是:我并不是在谈论简单地为工件提供 md5 或 sha1 哈希值。这已经完成了,但是这些哈希值存储在与工件相同的位置。因此,一旦恶意黑客破坏了存储库并可以替换工件,他们也可以替换哈希值。

因此,真正需要的是某种 PKI,它允许开发人员签署他们的工件,并允许 Maven 验证这些签名。由于签名是使用开发人员的私钥完成的,因此当仅存储库受到损害时,签名无法被篡改。

有谁知道maven 中的状态吗?

原文

I was just pointed to a very interesting article (archived) about a security problem called
Cross Build Injection (XBI). Bascially it is a fancy name for smuggling bad code
into an application at build time via automated build systems such as ant, maven or ivy.

The problem could be alleviated by introducing a cryptographic signature validation für dependencies as it is currently in place with many operating systems for downloading packages.

To be clear: I am not talking about simply providing md5 or sha1 hashes for the artifacts. That is already done, but those hashes are stored in the same location as the artifacts. So once a malicious hacker compromises the repository and can replace the artifact they can replace the hashes as well.

So what is acutally needed is some kind of PKI, that allows the developers to sign their artifacts and maven to verify these signatures. Since the signature is done using the private key of the developer it cannot be tampered with when only the repository is compromised.

Does anyone know the state of this in maven?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

过潦 2024-09-18 09:43:18

tl;dr

Maven 中不存在的验证机制以及 POM DSL 中缺失的语言构造是严重的安全威胁。在解决 MNG-6026 之前,请使用一些方法例如 Gradle Witness

简介

到目前为止提供的答案似乎都没有解决问题。 对工件进行签名只是迈向正确方向的第一步。但是用于签署工件的密钥被认为是可信/有效的条件是非常不透明的,有时甚至很弱。例如: pgpverify-maven-pluginNexus Professional 确实验证了该工件的签名是否有效?仅从密钥服务器检索密钥并验证工件是不够的。

Sonatype 在他们的 博客文章

PGP 签名:另一个层面

在消费方面,您可以使用 Nexus Professional 中的采购
检查签名是否存在,以及在发布方面
使用 PGP 签名签署您的版本并进行 PGP 签名
在公钥服务器上可用将帮助人们仔细检查
工件和校验和是一致的。 注意:我认为还有更多
创建鼓励使用 PGP 密钥的工具需要做的工作
更重要的是,给予存储库管理员一些控制权
哪些密钥值得信任。

(重点是我的)

使用信任信息扩展项目对象模型 (POM)

我们需要的是能够对从项目或工件到声明的依赖项的信任关系进行建模。因此,如果所有相关方都声明这样的关系,我们就能够创建一条从根(例如项目)到其依赖项直至最后一个传递依赖项的“信任链”。 项目对象模型 (POM) 需要通过 进行扩展依赖项的元素。

当前情况

现在我们有类似

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
</dependency>

硬依赖的

东西对于硬依赖,>可以包含工件及其 POM 文件的 sha256sum:

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
  <verification>
    <checksum hash='sha-256'>
      <pom>[sha256 of junit pom file]</pom>
      <artifact>[sha256sum of artifact (junit.jar)]</artifact>
    </checksum>
  </verification>
</dependency>

软依赖项

如果使用软依赖项或范围依赖项,那么我们可以指定用于对工件进行签名的密钥对的公钥(或多个)

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0,4.5)</version>
  <verification>
    <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
    <!-- possible further 'openpgp' elements in case the artifacts in the
         specified version range where signed by multiple keys -->
  </verification>
</dependency>

现在呢?

感谢 peter 触发了我,我提出了 Apache Maven 的功能请求:<强>MNG-6026。让我们看看接下来会发生什么。

其他方法

Gradle Witness 对 gradle 执行类似的操作。但它有一些缺点:

  • 它构建在 gradle 之上(并构建在 POM 中)
  • 它只允许硬依赖,因为它使用哈希。

Maven Enforcer 插件 似乎也是如此。

pgpverify-maven-plugin 似乎也遵循这种方法。尽管缺少文档,但有一个 测试对于所谓的 keysMap 属性,它也是 在配置文件中显示为 keysMapLocation

tl;dr:

Non-existent verification mechanisms in Maven and missing language constructs in the POM's DSL are a serious security threat. Until MNG-6026 is addressed, use someting like Gradle Witness.

Introduction

None of the answers provided so far seem to solve the problem. Signing artifacts is only a first step into the right direction. But the condition upon which a key used to sign the artifact is considered to be trusted/valid is very opaque, and sometimes even weak. For example: How does pgpverify-maven-plugin or Nexus Professional actually verify that the signature is valid for the artifact? Just retrieving the key from keyserver and verifying the artifact is no enough.

Sonatype mentions this briefly in their blog post:

PGP Signatures: Another Level

On the consumption side, you can use Procurement in Nexus Professional
to check for the presence of a signature, and on the publishing side
signing your releases with a PGP signature and making PGP signatures
available on a public keyserver will help people double-check that
artifacts and checksums are consistent. Note: I think there’s more
work to be done to create tools that encourage the use of PGP keys
and, more importantly, give repository administrators some control
over what keys are to be trusted.

(emphasis mine)

Extending the Project Object Model (POM) with trust information

What we need is the possibility to model a trust relation from your project or artifact to the declared dependencies. So that, if all involved parties declare such a relation, we are able to create a "chain of trust" from the root (e.g. the project) over its dependencies down to the very last transitive dependency. The Project Object Model (POM) needs to be extended by a <verification/> element for dependencies.

Current Situation

Right now we have something like

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
</dependency>

Hard dependencies

For hard dependencies, <verfication/> could include the sha256sum of artifact and its POM file:

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>4.0</version>
  <verification>
    <checksum hash='sha-256'>
      <pom>[sha256 of junit pom file]</pom>
      <artifact>[sha256sum of artifact (junit.jar)]</artifact>
    </checksum>
  </verification>
</dependency>

Soft dependencies

If soft or ranged dependencies are used, then we could specify the public key (or multiple) of the keypair used to sign the artifacts

<dependency>
  <groupId>junit</groupId>
  <artifactId>junit</artifactId>
  <version>[4.0,4.5)</version>
  <verification>
    <openpgp>[secure fingerprint of OpenPGP key]</openpgp>
    <!-- possible further 'openpgp' elements in case the artifacts in the
         specified version range where signed by multiple keys -->
  </verification>
</dependency>

And now?

Thanks to peter triggering me, I've raised a feature request for Apache Maven: MNG-6026. Let's see what happens next.

Other approaches

Gradle Witness does something similar for gradle. But it has some disadvantages:

  • It is built on top of gradle (and built in POM)
  • It does only allow hard dependencies, because it uses hashes.

The same seems to be true for the Maven Enforcer Plugin.

pgpverify-maven-plugin appearently also follows this approach. Although documentation is missing there is a test for a so called keysMap property, which also appears in the config file as keysMapLocation.

回复 原文
陪你搞怪i 2024-09-18 09:43:18

更新:下面提到的校验和确实仅用于完整性检查,并且确实与工件一起存储,因此它们不能回答问题。

实际上,需要使用 PGP 对工件进行签名,以将它们上传到与中央同步的存储库(Maven GPG 插件 可以帮助完成此步骤)。要在下载时验证签名,我们邀请您使用支持此功能的存储库管理器。来自 如何使用 Maven 生成 PGP 签名

如果您使用下载工具
来自中央 Maven 的工件
存储库,您需要确保
你正在努力验证
这些工件具有有效的 PGP
可以验证的签名
公钥服务器。如果你不这样做
验证签名,那么你就没有
保证你是什么
下载的是原版神器。
验证签名的一种方法
工件是使用存储库
像 Nexus Professional 这样的经理。在
您可以配置 Nexus Professional
采购套件检查每一个
下载有效 PGP 的工件
签名并验证签名
针对公钥服务器。

如果您正在使用以下方式开发软件
Maven,你应该生成一个PGP
为您的发布签名。
发布有效的软件
签名意味着您的客户
可以验证软件工件
由原作者生成
并且它没有被修改过
过境的任何人。最大的 OSS
像 Apache 软件一样锻造
基金会要求所有项目
由发布经理发布,其
密钥已被其他成员签名
组织的名称,如果您愿意的话
同步您的软件工件
到 Maven 中心,您需要
提供 pgp 签名

另请参阅


Maven 安装插件可以配置为创建完整性校验和(MD5、SHA-1),您可以为每个存储库配置校验和策略(请参阅 checksumPolicy)。

Maven 存储库管理器也可以/应该能够处理它们。例如,请参见:

Update: The checksums mentioned below are indeed only for integrity checks and are indeed stored with the artifacts so they don't answer the question.

Actually, one need to sign artifacts using PGP to upload them to a repository that is synced with central (the Maven GPG Plugin can help for this step). To verify signatures at download time, you are invited to use a repository manager supporting this feature. From How to Generate PGP Signatures with Maven:

If you use a tool that downloads
artifacts from the Central Maven
repository, you need to make sure that
you are making an effort to validate
that these artifacts have a valid PGP
signature that can be verified against
a public key server. If you don’t
validate signatures, then you have no
guarantee that what you are
downloading is the original artifact.
One way to to verify signatures on
artifacts is to use a repository
manager like Nexus Professional. In
Nexus Professional you can configure
the procurement suite to check every
downloaded artifact for a valid PGP
signature and validate the signature
against a public keyserver.

If you are developing software using
Maven, you should generate a PGP
signature for your releases.
Releasing software with valid
signatures means that your customers
can verify that a software artifact
was generated by the original author
and that it hasn’t been modified by
anyone in transit. Most large OSS
forges like the Apache Software
Foundation require all projects to be
released by a release manager whose
key has been signed by other members
of the organization, and if you want
to synchronize your software artifacts
to Maven central you are required to
provide pgp signatures.

See also


The Maven Install Plugin can be configured to create integrity checksums (MD5, SHA-1) and you can configure a checksum policy per repository (see checksumPolicy).

Maven repository managers can/should also be able to deal with them. See for example:
回复 原文
梦醒时光 2024-09-18 09:43:18

现在可以使用此插件在 Maven 中验证 PGP 签名: https:/ /www.simplify4u.org/pgpverify-maven-plugin/index.html

以下是如何在父 pom.xml 中配置它:

<build>
    <plugins>

        <plugin>
            <groupId>org.simplify4u.plugins</groupId>
            <artifactId>pgpverify-maven-plugin</artifactId>
            <version>1.5.1</version>
            <configuration>
                <pgpKeyServer>https://pgp.mit.edu</pgpKeyServer>
            </configuration>
            <executions>
                <execution>
                    <goals>
                        <goal>check</goal>
                    </goals>
                    <phase>install</phase>
                </execution>
            </executions>
        </plugin>           

    </plugins>

</build>

此配置将 PGP 检查绑定到 安装阶段。

如果您不想一直运行检查,请删除 元素并手动运行它,如下所示:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check

It is now possible to validate PGP signatures in maven by using this plugin: https://www.simplify4u.org/pgpverify-maven-plugin/index.html

Here's how to configure it in your parent pom.xml:

<build>
    <plugins>

        <plugin>
            <groupId>org.simplify4u.plugins</groupId>
            <artifactId>pgpverify-maven-plugin</artifactId>
            <version>1.5.1</version>
            <configuration>
                <pgpKeyServer>https://pgp.mit.edu</pgpKeyServer>
            </configuration>
            <executions>
                <execution>
                    <goals>
                        <goal>check</goal>
                    </goals>
                    <phase>install</phase>
                </execution>
            </executions>
        </plugin>           

    </plugins>

</build>

This configuration binds the PGP check to the install phase.

If you don't want to run the check all the time, remove the <executions /> element and run it manually like so:

mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
回复 原文
通知家属抬走 2024-09-18 09:43:18

有一个新的 Maven 插件,它提供依赖项真实性的完整性检查。

https://github.com/chains-project/maven-lockfile

maven-lockfile能够为Maven项目创建锁文件并根据锁文件进行构建。

该版本是测试版,欢迎所有反馈。

There is a new Maven plugin which provides integrity checking of dependency authencity.

https://github.com/chains-project/maven-lockfile

maven-lockfile is able to create lockfiles for Maven projects and to build according to the lockfile.

The version is beta, all feedback is welcome.

回复 原文
墨小墨 2024-09-18 09:43:18

“这个问题可以通过引入针对依赖项的加密签名验证来缓解,因为目前许多操作系统都用于下载软件包。”

您正在寻找什么来签署您的 jar 文件。
http://download-llnw.oracle.com/ javase/1.3/docs/tooldocs/win32/jarsigner.html

您需要采取适当的措施来保护您的私钥。但如果您对这种镇静感到偏执,您可能需要了解一下 PKI(公钥基础设施)。

"The problem could be alleviated by introducing a cryptographic signature validation für dependencies as it is currently in place with many operating systems for downloading packages."

What you are looking for signing your jar files.
http://download-llnw.oracle.com/javase/1.3/docs/tooldocs/win32/jarsigner.html

You need to protect your private key with appropriate measures. But if you are paranoid about such a composure you may need to look about PKI , Public Key Infrastructures.

回复 原文
~没有更多了~

关于作者

梦途

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文