What is the point of maven's OpenPGP signatures if anyone can create and upload any keys?

11
votes

Sonatype requires the (non-SNAPSHOT version) artifacts to be GPG-signed; the public OpenPGP keys should be uploaded to a (MIT) key server.

But anyone can create any OpenPGP key with any name an e-mail and upload them to the key server. There is (as far as I know; or am I wrong?) no automatic mechanism in place to associate a particular software project/library with a particular public key. Sure, if anyone wants to check the authenticity of the artifacts, one can always request the public key from the software authors, or perhaps the key is already published somewhere (in a way that associates it with the particular software project); but since this can not be done automatically, hardly anyone ever does it.

So it seems that the whole OpenPGP-signing procedure, also by being quite technical and time-consuming, serves more to instill a false sense of security than actually providing much security to the average user.

So shouldn't there be an automatic/streamlined way to associate software projects with OpenPGP keys to make the whole thing actually secure?

1
mavenopenpgp
Signing artifacts is only the first step. What is missing is that a Maven dependency definition also includes information about how to verify the dependency's artifact(s). Either the hash or the expected OpenPGP keys used to sign the artifact. See also stackoverflow.com/a/34795359/194894 and MNG-6026.Flow

1 Answers

4
votes

Applying OpenPGP signatures allows others to verify authorship through the web of trust. As this indeed is a rather complicated approach with a rather steep learning curve, this is not enforced by default.

Sander Mak wrote an excellent introduction about verification of OpenPGP signatures in Maven.. Sadly, he does not show a better way for performing automatic verification but using commercial software as Maven Central proxy:

Automatic verification?

By now, you must be thinking 'that is an awful lot of work just to verify a single dependency'. And you're absolutely right. Applications typically use many dependencies, and checking them all by hand quickly becomes tedious. In my opinion, there is a huge opportunity for Maven-based build tools to support automatic PGP signature verification. Until that is the case though, you can also use Sonatype's Nexus repository manager as a proxy to Maven Central. It can automatically check the PGP signatures for proxied artifacts and refuse to serve them when the signature check fails. Unfortunately, this is only possible using the commercial version Nexus Pro, not with the open source version.

I recently came across a rather new project, the Verify PGP signatures plugin (code on GitHub), which is a Maven artifact to verify OpenPGP signatures of other artifacts and enables you to whitelist keys allowed to sign given artifacts.