ssl - Maven verify signatures of downloaded pom/jar files -


i trying find if there ssl enabled central repository there isn't. noticed there signatures every jar , pom file in maven central repository. @ least i'd check signatures of maven downloaded files (pom/jar).

the example http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:

ant-1.8.2.jar ant-1.8.2.jar.asc ant-1.8.2.jar.asc.md5 ant-1.8.2.jar.asc.sha1 ant-1.8.2.jar.md5 ant-1.8.2.jar.sha1 ant-1.8.2.pom ant-1.8.2.pom.asc ant-1.8.2.pom.asc.md5 ant-1.8.2.pom.asc.sha1 ant-1.8.2.pom.md5 ant-1.8.2.pom.sha1

i realize i'll have import public keys every repository , i'm fine that. guess public keys maven central here https://svn.apache.org/repos/asf/maven/project/keys.

there plenty of tutorials on web on how sign maven. didn't find information on how force maven (2 or 3) verify signatures of downloaded jar/pom files. possible?

(nexus professional not option)

thank help.

now, people seem realize real security problem (as described in this blog-post (the blog seems down, here archived version of blog)), there plugin verifying pgp signatures. can verify signatures dependencies of project following command:

mvn com.github.s4u.plugins:pgpverify-maven-plugin:check

of course, 100% sure plugin not malicious itself, have download , verify source plugin maven central, build maven, , execute it. (and should done dependencies , plugins needed build, recursively.)

or use maven 3.2.3 or above (with clean repository), uses ssl downloading artefacts. man-in-the-middle attacks impossible , @ least artefacts on maven central.

see also:


Comments

Post a Comment

Popular posts from this blog

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

java - Output of Eclipse is rubbish -

i want write program in eclipse language different english. when display output using system.out program, displays output correctly in console editor. when accept input console , output it, output rubbish. how can solve it. many thnaks i'm not sure if problem, have character encoding problem. make sure you're using unicode, utf-8. you can read more @ official docs converting non-unicode text .
Read more

jquery - Confused with JSON data and normal data in Django ajax request -

i read json internet still have not got grasp of it. reading article http://webcloud.se/log/ajax-in-django-with-jquery/ i not understood first part function using json def xhr_test(request, format): if request.is_ajax(): if format == 'xml': mimetype = 'application/xml' if format == 'json': mimetype = 'application/javascript' data = serializers.serialize(format, examplemodel.objects.all()) return httpresponse(data,mimetype) # if want prevent non xhr calls else: return httpresponse(status=400) my main problems are from function getting format variable does format json mean data given function json or data recived json can give me simple example ouput of function data = serializers.serialize(format, examplemodel.objects.all()) how use data when response in jquery function if don't use json in above function how input , response chnage thanks ...
Read more