cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Didier Schlegel <didier.schle...@bluewin.ch>
Subject PGP signatures of avalon-framework
Date Wed, 26 Sep 2018 09:32:56 GMT
Dear developers,

after reading this article 
(http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-is-your-build/)

about cross-build injection attacks I decided to give the 
pgpverify-maven-plugin 
(https://www.simplify4u.org/pgpverify-maven-plugin/index.html) a try.

We use Apache FOP in our project and two transitive dependencies of FOP 
2.3 did not pass the PGP verification:
  - org.apache.avalon.framework:avalon-framework-api:jar:4.3.1
  - org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1
both retrieved from maven central 
(https://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-impl/4.3.1/)

[WARNING] org.apache.avalon.framework:avalon-framework-api:jar:4.3.1 PGP 
Signature ERROR
        KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING 
KEY) <jheymans@apache.org>]
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-api\4.3.1\avalon-framework-api-4.3.1.jar.asc
[WARNING] org.apache.avalon.framework:avalon-framework-impl:jar:4.3.1 
PGP Signature ERROR
        KeyId: 0xD0ACAD776E6D31C6 UserIds: [Jorg Heymans (CODE SIGNING 
KEY) <jheymans@apache.org>]
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar
[WARNING] 
C:\Users\didier\.m2\repository\org\apache\avalon\framework\avalon-framework-impl\4.3.1\avalon-framework-impl-4.3.1.jar.asc

According to the pgpverify plugin these two libraries are not correctly 
signed. Is there a way to replace them with a correctly signed version? 
If not and if they are considered as trustful, maybe it would be better 
to remove the signature file from the maven repository as it does not match.

I contacted Jorg Heymans about this and he told me to contact this 
cocoon developer mailinglist.

Sincerly,

Didier Schlegel


Mime
View raw message