0

If I obtain a release build of a github project from a Maven repository, how can I securely verify that it's the authentic build?

DETAILS

That was my X question. My Y question follows.

Maven's Guide to uploading artifacts to the Central Repository says:

To improve the quality of the Central Repository, we require you to provide PGP signatures for all your artifacts (all files except checksums), and distribute your public key to a key server like http://pgp.mit.edu. Read Working with PGP Signatures for more information.

Should I be typically be looking for a PGP signature for the Github project, or for the Github user who made the release, or something else?

Improve this question
6
  • First see if that project has put these measures in place, or if they have some other similar measure. It will probably be different for each project, unless they are specifically distributing via maven. (some projects are distributed via third parties). Commented Mar 9, 2020 at 22:58
  • If a project signs their artifacts, their web site should publish how to import the public key, and the key signature so that you can verify that it is in fact the same public key. Using that public key, you can verify the signature for any artifact. Commented Mar 10, 2020 at 14:56
  • @BerinLoritsch - so are some github projects distributed via maven not signed? Commented Mar 10, 2020 at 15:03
  • 1
    Yes. Not everyone cares, but the ones that do appreciate when artifacts are signed. Commented Mar 10, 2020 at 15:05
  • 1
    When I was running one of the Apache Software Foundation projects, we did sign all the artifacts. It's pretty common for ASF products and larger groups like Pivotal to sign their artifacts--it's just harder to find information on the public key these days. It's those smaller teams that don't always have the PGP infrastructure. Commented Mar 10, 2020 at 15:07

2 Answers 2

Reset to default
1

In the end, I did not download the binary I wanted from a Maven repository.

Instead, I downloaded the source code as a release artifact from github, and used Maven to build the binary I wanted, automatically downloading dependencies needed during compilation.

$ mvn package
Improve this answer
0

You can also try pgpverify-maven-plugin in order to validate pgp signatures of all your project dependencies.

Improve this answer
1
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. Commented Jan 24, 2022 at 12:39

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.