cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Damioli <cdami...@apache.org>
Subject Re: PGP signatures of avalon-framework
Date Wed, 26 Sep 2018 15:58:01 GMT
Hi Didier,

The Avalon project (http://avalon.apache.org) is dead since 2004 and has 
moved to the Attic.
It's very unlikely that there will ever be a new release.

I just tested with the mentioned jar, and it seems that the signature is 
indeed invalid.
BTW, Maven Central also hosts other avalon-framework versions, which are 
unsigned.
And I also found well-signed versions at 
http://archive.apache.org/dist/excalibur/avalon-framework/binaries/, but 
it's not exactly the same version.

Moreover, from what I found in the public Apache SVN repos, it seems 
that the 4.3.1 version only exist in a "excalibur-first-maven2-release" 
tag, maybe meaning that this version has been built only to be present 
on Maven Central.

In any case, here at Cocoon, we don't maintain this library, we only use it.

Cédric



Le 26/09/2018 à 11:32, Didier Schlegel a écrit :
>
> Dear developers,
>
> after reading this article 
> (http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/)

> about cross-build injection attacks I decided to give the 
> pgpverify-maven-plugin 
> (https://www.simplify4u.org/pgpverify-maven-plugin/index.html) a try.
>
> We use Apache FOP in our project and two transitive dependencies of 
> FOP 2.3 did not pass the PGP verification:
>  - org.apache.avalon.framework:avalon-framework-api:jar:4.3.1
>  - org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
> both retrieved from maven central 
> (https://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-impl/4.3.1/)
>
> [WARNING] org.apache.avalon.framework:avalon-framework-api:jar:4.3.1 
> PGP Signature ERROR
>        KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING 
> KEY) <jheymans@apache.org>]
> [WARNING] 
> C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar
> [WARNING] 
> C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar.asc
> [WARNING] org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1 
> PGP Signature ERROR
>        KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING 
> KEY) <jheymans@apache.org>]
> [WARNING] 
> C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar
> [WARNING] 
> C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar.asc
>
> According to the pgpverify plugin these two libraries are not 
> correctly signed. Is there a way to replace them with a correctly 
> signed version? If not and if they are considered as trustful, maybe 
> it would be better to remove the signature file from the maven 
> repository as it does not match.
>
> I contacted Jorg Heymans about this and he told me to contact this 
> cocoon developer mailinglist.
>
> Sincerly,
>
> Didier Schlegel
>

-- 
Cédric Damioli
CMS - Java - Open Source
www.ametys.org


Mime
View raw message