I have done some research on the Maven Central Repository security, especially the Cross Build Injection attack (XBI). I read a few links, which I listed below:
http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven/
http://maven.apache.org/guides/mini/guide-central-repository-upload.html
Verification of dependency authenticy in Maven POM based automated build systems
Here are the key points I understand
- All upload to Central repository requires the artifacts being signed by PGP private key owned by the release manager of the open source project.
- The public key should be submitted to the key server such as MIT key server
- Manual verification of the downloaded artifacts is cumbersome.
- Repository Manager such as Nexus Pro provides feature to auto-verify the signature of downloaded artifacts.
However, how does Nexus Pro do automatic verification? Does Nexus maintain a repository of PGP keyid of all the open source projects that Maven Central hosts? Does sonatype verifies and sign the PGP public key that open source projects upload to the key server? Anyone knows the internals?
