search

WrenSecurity / wrensec-parent

Parent POM for Maven based Wren Security projects.
http://wrensecurity.org
0 stars 7 forks source link

pgpverify verification does not work with proxies #6

Closed Kortanul closed 3 years ago

Kortanul commented 7 years ago

Summary

pgpverify-maven-plugin is unable to retrieve the Wren trusted keys list when the local machine is behind a proxy, even when Maven is configured to use the proxy.

Steps

  1. checkout Wren:DS (or any Wren project that inherits from wrensec-parent) on a machine that's behind a proxy.
  2. ensure Maven is configured to use the proxy (via ~/.m2/settings.xml).
  3. run mvn clean install in the root of the checked-out project.

Expected

Project builds without issue.

Current

Build fails with a failure to resolve wrensecurity.org:

[DEBUG]   (f) project = MavenProject: org.forgerock.opendj:opendj-server-parent:3.0.0 @ wrends/pom.xml
[DEBUG]   (f) scope = test
[DEBUG]   (f) session = org.apache.maven.execution.MavenSession@704b2127
[DEBUG]   (f) verifyPomFiles = true
[DEBUG] -- end configuration --
[DEBUG] The resource 'http://wrensecurity.org/trustedkeys.properties' was not found with resourceLoader org.codehaus.plexus.resource.loader.JarResourceLoader.
[DEBUG] The resource 'http://wrensecurity.org/trustedkeys.properties' was not found with resourceLoader org.codehaus.plexus.resource.loader.FileResourceLoader.
[DEBUG] The resource 'http://wrensecurity.org/trustedkeys.properties' was not found with resourceLoader org.codehaus.plexus.resource.loader.ThreadContextClasspathResourceLoader.
[DEBUG] URLResourceLoader: Exception when looking for 'http://wrensecurity.org/trustedkeys.properties
java.net.UnknownHostException: wrensecurity.org
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at java.net.Socket.connect(Socket.java:538)
    at sun.net.NetworkClient.doConnect(NetworkClient.java:180)

Workarounds

Kortanul commented 7 years ago

Issue filed with pgpverify: https://github.com/s4u/pgpverify-maven-plugin/issues/24

we may be able to fix it in our fork of it.

Kortanul commented 6 years ago

as of 2.2.0, this issue should now be resolved -- we're now putting the PGP whitelist in a Maven artifact that should be proxy-friendly.

Kortanul commented 6 years ago

Per comment from @siepkes in https://github.com/WrenSecurity/wrends/pull/24, this is still an issue for the GPG signature requests. Re-opening.

I believe we can provide a documented workaround for this issue. Ideally we'd pull the HTTP proxy from Maven, but I remember this not being straightforward.

pavelhoral commented 3 years ago

This should be fixed in upstream - https://www.simplify4u.org/pgpverify-maven-plugin/check-mojo.html#proxyName and we are already using the latest version of the plugin.