在基于Maven POM的自动构建系统中验证依赖项的真实性 [英] Verification of dependency authenticity in Maven POM based automated build systems

查看:106
本文介绍了在基于Maven POM的自动构建系统中验证依赖项的真实性的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

刚才我指向了关于安全性的非常有趣的文章问题称为交叉生成注入(XBI).基本上来说,这是走私错误代码的奇特名称通过自动构建系统(例如ant,maven或ivy)在构建时将其导入到应用程序中.

I was just pointed to a very interesting article about a security problem called Cross Build Injection (XBI). Bascially it is a fancy name for smuggling bad code into an application at build time via automated build systems such as ant, maven or ivy.

可以通过引入依赖项的加密签名验证来缓解此问题,因为当前它已在许多用于下载软件包的操作系统中使用.

The problem could be alleviated by introducing a cryptographic signature validation für dependencies as it is currently in place with many operating systems for downloading packages.

要明确:我不是在谈论为工件提供md5或sha1散列.这已经完成了,但是这些散列与工件被存储在相同的位置.因此,一旦恶意黑客入侵了存储库并可以替换工件,他们也可以替换哈希.

To be clear: I am not talking about simply providing md5 or sha1 hashes for the artifacts. That is already done, but those hashes are stored in the same location as the artifacts. So once a malicious hacker compromises the repository and can replace the artifact they can replace the hashes as well.

因此,迫切需要的是某种PKI,它使开发人员可以对其工件进行签名,并通过maven来验证这些签名.由于签名是使用开发人员的私钥完成的,因此只有存储库受到破坏时,才能对其进行篡改.

So what is acutally needed is some kind of PKI, that allows the developers to sign their artifacts and maven to verify these signatures. Since the signature is done using the private key of the developer it cannot be tampered with when only the repository is compromised.

有人知道Maven中的状态吗?

Does anyone know the state of this in maven?

推荐答案

更新:以下提到的校验和确实仅用于完整性检查,并且确实与工件一起存储,因此它们不回答问题.

Update: The checksums mentioned below are indeed only for integrity checks and are indeed stored with the artifacts so they don't answer the question.

实际上,需要使用PGP对工件进行签名以将其上载到与中央同步的存储库( Maven GPG插件可以帮助完成此步骤).要在下载时验证签名,请使用支持此功能的存储库管理器.来自如何使用Maven生成PGP签名:

Actually, one need to sign artifacts using PGP to upload them to a repository that is synced with central (the Maven GPG Plugin can help for this step). To verify signatures at download time, you are invited to use a repository manager supporting this feature. From How to Generate PGP Signatures with Maven:

如果您使用下载的工具Central Maven的文物存储库,您需要确保您正在努力验证这些工件具有有效的PGP可以验证的签名公钥服务器.如果你不这样做验证签名,那么您就没有保证你是什么下载是原始的工件.一种验证签名的方法工件是使用存储库Nexus Professional之类的经理.在您可以配置的Nexus专业版采购套件检查每个已下载有效PGP的工件签名并验证签名针对公共密钥服务器.

If you use a tool that downloads artifacts from the Central Maven repository, you need to make sure that you are making an effort to validate that these artifacts have a valid PGP signature that can be verified against a public key server. If you don’t validate signatures, then you have no guarantee that what you are downloading is the original artifact. One way to to verify signatures on artifacts is to use a repository manager like Nexus Professional. In Nexus Professional you can configure the procurement suite to check every downloaded artifact for a valid PGP signature and validate the signature against a public keyserver.

如果您正在使用以下软件开发软件Maven,您应该生成一个PGP发布的签名.发行有效的软件签名意味着您的客户可以验证软件工件由原始作者生成并且它没有被修改在途的任何人.大型OSS像Apache软件一样伪造基金会要求所有项目必须由发布经理发布,该发布经理的密钥已由其他成员签名的组织,如果你想同步您的软件工件到Maven Central,您需要提供pgp签名.

If you are developing software using Maven, you should generate a PGP signature for your releases. Releasing software with valid signatures means that your customers can verify that a software artifact was generated by the original author and that it hasn’t been modified by anyone in transit. Most large OSS forges like the Apache Software Foundation require all projects to be released by a release manager whose key has been signed by other members of the organization, and if you want to synchronize your software artifacts to Maven central you are required to provide pgp signatures.

另请参见

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆