git clone https://github.com/gabrielf/maven-samples
cd maven-samples
mvn com.github.s4u.plugins:pgpverify-maven-plugin:check
and I get this interesting results:
Downloading: https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.jar.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.jar.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.jar.asc
Downloaded: https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.jar.asc (535 B at 3.2 kB/s)
Downloading: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.jar.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.jar.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.jar.asc
Downloaded: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.jar.asc (832 B at 5.7 kB/s)
Downloading: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.jar.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.jar.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.jar.asc
Downloaded: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.jar.asc (832 B at 4.5 kB/s)
Downloading: https://repo.maven.apache.org/maven2/org/mockito/mockito-core/1.8.5/mockito-core-1.8.5.jar.asc
[WARNING] No signature for org.mockito:mockito-core:jar:1.8.5
Downloading: https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.jar.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.jar.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.jar.asc
Downloaded: https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.jar.asc (189 B at 1.4 kB/s)
Downloading: https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.pom.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.pom.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.pom.asc
Downloaded: https://repo.maven.apache.org/maven2/org/objenesis/objenesis/1.0/objenesis-1.0.pom.asc (189 B at 1.3 kB/s)
Downloading: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.pom.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.pom.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.pom.asc
Downloaded: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-library/1.2.1/hamcrest-library-1.2.1.pom.asc (832 B at 5.1 kB/s)
Downloading: https://repo.maven.apache.org/maven2/org/mockito/mockito-core/1.8.5/mockito-core-1.8.5.pom.asc
[WARNING] No signature for org.mockito:mockito-core:pom:1.8.5
Downloading: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.pom.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.pom.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.pom.asc
Downloaded: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.2.1/hamcrest-core-1.2.1.pom.asc (832 B at 4.6 kB/s)
Downloading: https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.pom.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.pom.asc: Checksum validation failed, no checksums available
[WARNING] Checksum validation failed, no checksums available for https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.pom.asc
Downloaded: https://repo.maven.apache.org/maven2/junit/junit-dep/4.10/junit-dep-4.10.pom.asc (535 B at 3.0 kB/s)
[INFO] Receive key: 5A01BE76E757922C to d:\pierre\.m2\repository\pgpkeys-cache\5A\01\5A01BE76E757922C.asc
[INFO] org.hamcrest:hamcrest-core:jar:1.2.1 PGP Signature OK
KeyId: 0x5A01BE76E757922C UserIds: [Marc von Renteln
[INFO] Receive key: 7C7D8456294423BA to d:\pierre\.m2\repository\pgpkeys-cache\7C\7D\7C7D8456294423BA.asc
[INFO] org.objenesis:objenesis:pom:1.0 PGP Signature OK
KeyId: 0x7C7D8456294423BA UserIds: [Henri Tremblay
[INFO] org.hamcrest:hamcrest-library:jar:1.2.1 PGP Signature OK
KeyId: 0x5A01BE76E757922C UserIds: [Marc von Renteln
[INFO] org.objenesis:objenesis:jar:1.0 PGP Signature OK
KeyId: 0x7C7D8456294423BA UserIds: [Henri Tremblay
[INFO] org.hamcrest:hamcrest-library:pom:1.2.1 PGP Signature OK
KeyId: 0x5A01BE76E757922C UserIds: [Marc von Renteln
[INFO] org.hamcrest:hamcrest-core:pom:1.2.1 PGP Signature OK
KeyId: 0x5A01BE76E757922C UserIds: [Marc von Renteln
[INFO] Receive key: 88AA1FEE831A7E89 to d:\pierre\.m2\repository\pgpkeys-cache\88\AA\88AA1FEE831A7E89.asc
[INFO] junit:junit-dep:jar:4.10 PGP Signature OK
KeyId: 0x88AA1FEE831A7E89 UserIds: [David Saff
[INFO] junit:junit-dep:pom:4.10 PGP Signature OK
KeyId: 0x88AA1FEE831A7E89 UserIds: [David Saff
In fact, as reported by http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/ , only 2 percent of companies verify PGP signature, and a signature is mandatory in Maven Central only for last 3 years, so old components most of the time have NO SIGNATURE!
No comments:
Post a Comment