Maven 验证下载的 pom/jar 文件的签名
我试图查找是否有启用 SSL 的中央存储库,但可能没有。我注意到maven中央存储库中的每个jar和pom文件都有签名。所以至少我想检查所有 Maven 下载文件(pom/jar)的签名。
来自 http://repo1.maven.org/maven2/org/apache/ 的示例ant/ant/1.8.2/:
ant-1.8.2.jar
ant-1.8.2.jar.asc
ant-1.8.2.jar.asc.md5
ant-1.8.2.jar.asc.sha1
ant-1.8.2.jar.md5
ant-1.8.2.jar.sha1
ant-1.8.2.pom
ant-1.8.2.pom.asc
ant-1.8.2.pom.asc.md5
ant-1.8.2.pom.asc.sha1
ant-1.8.2.pom.md5
ant-1.8.2.pom.sha1
我意识到我必须为每个存储库导入公钥,我对此很满意。我想 Maven Central 的公钥在这里 https://svn.apache.org/repos/asf/ maven/项目/KEYS。
网上有很多关于如何使用 Maven 签名的教程。但是我没有找到任何有关如何强制 maven(2 或 3)验证下载的 jar/pom 文件签名的信息。是否可以?
(Nexus Professional 不是一个选项)
感谢您的帮助。
I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).
The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:
ant-1.8.2.jar
ant-1.8.2.jar.asc
ant-1.8.2.jar.asc.md5
ant-1.8.2.jar.asc.sha1
ant-1.8.2.jar.md5
ant-1.8.2.jar.sha1
ant-1.8.2.pom
ant-1.8.2.pom.asc
ant-1.8.2.pom.asc.md5
ant-1.8.2.pom.asc.sha1
ant-1.8.2.pom.md5
ant-1.8.2.pom.sha1
I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.
There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?
(Nexus Professional is not an option)
Thank you for help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
现在,人们似乎意识到这是一个真正的安全问题(如 这篇博文(该博客似乎已关闭,这里是一个 博客的存档版本)),有一个 用于验证 PGP 签名的插件。您可以使用以下命令验证项目所有依赖项的签名:
当然,要 100% 确定插件本身不是恶意的,您必须下载并验证 插件源 来自 mavencentral,使用 maven 构建它,并执行它。 (这也应该递归地使用构建所需的所有依赖项和插件来完成。)
或者您使用 Maven 3.2.3 或更高版本(带有干净的存储库),它使用 TLS 下载所有工件。因此,中间人攻击是不可能的,并且您至少可以获得 Maven 中心上的文物。
另请参阅:
Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:
Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)
Or you use Maven 3.2.3 or above (with a clean repository), which uses TLS for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.
See also:
您可以使用 GnuPG 编写 bash shell 脚本来验证每个签名吗?
像这样的东西:
对于 *.jar 中的 x;执行 gpg --verify "${x}".asc;显然,在开始之前您需要所有签名的公钥。
Could you write a bash shell script using GnuPG to verify each sig?
Something like:
for x in *.jar; do gpg --verify "${x}".asc; doneObviously you would need the public keys for all the sigs before you started.
现在可以通过令牌支付对 Central 进行 SSL 访问。来自 https://blog.sonatype。 com/people/2012/10/now-available-ssl-connectivity-to-central/:
SSL access to Central is now available for a token payment. From https://blog.sonatype.com/people/2012/10/now-available-ssl-connectivity-to-central/ :
假设您只想下载带有有效校验和的工件,一种选择是运行 OSS 版本的 Nexus 并将其配置为具有中央代理。然后将您的settings.xml 配置为仅从您的存储库加载(settings.xml 中的镜像标记)。然后,您可以将 Nexus 配置为仅允许具有有效校验和的工件。
Assuming you only want to download artifacts w/ valid checksums, one option would be to run the OSS version of Nexus and configure it to have a proxy of central. Then configure your settings.xml to only load from your repo (mirror tag in settings.xml). You can then configure nexus to only allow artifacts that have a valid checksum.