Quantcast

PGP Signature of Artifacts Validation

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PGP Signature of Artifacts Validation

Chad La Joie
I know about, and use, the plugin for creating PGP signatures of
artifacts.  Is there a mechanism to validate the signatures of incoming
dependencies?
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PGP Signature of Artifacts Validation

Wendy Smoak
On Wed, Apr 23, 2008 at 12:29 PM, Chad La Joie <[hidden email]> wrote:
> I know about, and use, the plugin for creating PGP signatures of artifacts.
> Is there a mechanism to validate the signatures of incoming dependencies?

Not at present.  The first thing I'd like to see is a goal added to
the plugin that can check the signature for a single artifact.

Checking signatures as artifacts are proxied is also a good feature
for a repository manager.  I know we've talked about it for Archiva.

Do you have an opinion on where the signature file ought to come from?
 I've collected two opinions, one that the signature should only be
downloaded from a trusted source (even if the artifact comes from a
mirror,) and the other that it doesn't matter because you'd use the
web of trust built up by cross-signed keys to determine whether or not
to accept the artifact.

--
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PGP Signature of Artifacts Validation

Chad La Joie

Wendy Smoak wrote:
> On Wed, Apr 23, 2008 at 12:29 PM, Chad La Joie <[hidden email]> wrote:
>> I know about, and use, the plugin for creating PGP signatures of artifacts.
>> Is there a mechanism to validate the signatures of incoming dependencies?
>
> Not at present.  The first thing I'd like to see is a goal added to
> the plugin that can check the signature for a single artifact.

Yep, agreed.

> Checking signatures as artifacts are proxied is also a good feature
> for a repository manager.  I know we've talked about it for Archiva.

Also agree.

> Do you have an opinion on where the signature file ought to come from?

In our projects (e.g. [1]) I upload the signatures to our repository,
just like the MD5/SHA-1 hashes (which I have a question about but will
send in another email).  My understanding was that Maven was checking
these hashes when it pulled down the dependency.  Assuming my
understanding is correct, it seemed reasonable that it might check the
signature in the same manner.

>  I've collected two opinions, one that the signature should only be
> downloaded from a trusted source (even if the artifact comes from a
> mirror,) and the other that it doesn't matter because you'd use the
> web of trust built up by cross-signed keys to determine whether or not
> to accept the artifact.

I work on a project where signature validation and trust of the
validating credential are completely separate concerns.  So, for me, the
second option seems like the only reasonable approach.  I don't think
you can "trust" anything just because of where it comes from.

[1]
http://shibboleth.internet2.edu/downloads/maven2/org/opensaml/xmltooling/1.0.1

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...